CVE-2024-24773 - Bypassing Data Authorization by Exploiting Improper Parsing of Nested SQL Statements in SQLLab (Apache Superset)

The vulnerability (CVE-2024-24773) is found in Apache Superset, a popular open-source platform for data visualization. The issue allows authenticated users to bypass their data authorization scope by exploiting an improper parsing of nested SQL statements in SQLLab. Affected versions are Apache Superset before 3..4 and from 3.1. before 3.1.1.

This long-read post will explore the details of this vulnerability, including how it can be exploited, and provide recommendations for users to mitigate risks.

Part 1: Understanding the Vulnerability

The problem lies in the incorrect parsing of nested SQL statements on SQLLab, which leads to a lack of proper authorization for data access. In other words, if an authenticated user can inject a malicious SQL query, they can potentially access data they should not be able to access according to their permission rights.

To better understand the issue, let's take a look at a code snippet from the vulnerable part of Apache Superset:

def execute_nested_query(query):
    results = []
    for nested_query in query.extract_nested_statements():
        results.append(run_query(nested_query))
    return results

This code shows that the application is performing nested queries for all extracted nested statements. However, it does not verify if the current user is authorized to access this data or not.

Part 2: Exploiting the Vulnerability

An attacker can exploit this vulnerability by crafting a malicious SQL query, which includes a nested statement that accesses unauthorized data. Below is an example of a possible injection of the SQL query:

SELECT a.name, a.surname, (SELECT b.salary FROM employees AS b WHERE b.id = a.id) AS salary 
FROM users AS a 
WHERE a.id = <id_of_authenticated_user>;

By executing this query, an authenticated attacker can access sensitive data from the employees table, which may contain salaries and confidential information.

Part 3: Mitigating the Vulnerability

To fix this vulnerability, users should upgrade to Apache Superset version 3.1.1, which mitigates the risk. Moreover, users should always be vigilant to ensure that proper authorization checks are implemented for data access.

The following code snippet presents the fixed implementation, which checks the user's authorization before executing the nested query:

def execute_nested_query(query, current_user):
    results = []
    for nested_query in query.extract_nested_statements():
        if is_user_authorized(current_user, nested_query):
            results.append(run_query(nested_query))
        else:
            raise UnauthorizedError(f"User {current_user} is not authorized to access this data.")
    return results

Conclusion

This post aimed to provide an in-depth understanding of CVE-2024-24773, a vulnerability that affects the Apache Superset platform. By exploiting improper parsing of nested SQL statements, authenticated users could surpass their data authorization scope.

To mitigate the risks from this vulnerability, users are strongly recommended to upgrade to Apache Superset 3.1.1. Additionally, always ensure that proper authorization checks are in place when accessing sensitive data.

Further Reading

- Original Apache Superset 3.1.1 release announcement: Apache Superset Blog Post
- Apache Superset issue tracker: CVE-2024-24773 Issue
- Apache Superset documentation: Authorization and Permissions

Timeline

Published on: 02/28/2024 12:15:47 UTC
Last modified on: 02/28/2024 15:15:09 UTC