CVE CyberSecurity Database News

CVE-2024-24773 - Bypassing Data Authorization in Apache Superset via Nested SQL Injection

Poster -

Recently, a critical vulnerability — CVE-2024-24773 — was discovered in Apache Superset, a popular open-source data exploration and visualization platform. This flaw affects the handling of nested SQL statements in SQLLab and allows authenticated users to bypass their data access restrictions. In this post, we’ll break down what happened, how it can be exploited, and what you should do to stay protected.

What is CVE-2024-24773?

CVE-2024-24773 is an improper parsing vulnerability in SQLLab, a web-based SQL editor in Superset. The bug lets authenticated users run certain nested SQL queries that effectively evade Superset’s row-level security and data authorization constraints. In simple terms, someone with access to Superset can, under certain circumstances, view or extract data they aren’t supposed to.

How Does the Vulnerability Work?

Superset is designed to let admins set granular data access controls — so different users only see what they're supposed to. Controls might be in place via row-level security (RLS) or database/table/column permissions. Normally, Superset parses user-submitted queries and enforces these controls.

However, with this bug, a specially crafted SQL query can "wrap" a restricted statement inside another statement or use specific comment or nesting techniques, causing Superset to misparse where the actual data request is. The net result: the user's permissions aren't properly applied, and the query runs with broader access.

Example Scenario

Assume a user only has access to "sales" data for department_id = 5, but they want to view all sales across all departments.

Row-Level Security Policy in Place

SELECT * FROM sales WHERE department_id = 5

The attacker could submit something like

SELECT * FROM (SELECT * FROM sales) AS nested

In some Superset versions, this might bypass the RLS policy if Superset only applied the filter to the top-level statement. Alternatively, certain comment tricks or statement nesting might also evade policy checks, like so:

/*+ RLS_BYPASS */ SELECT * FROM sales

Submit a nested query that hides the real table access:

SELECT * FROM (SELECT * FROM secret_table) as tmp

Receive data outside your usual authorization scope.

This can be weaponized if the attacker knows or guesses underlying table/column names.

Affected Versions

| Superset Version | Vulnerable to CVE-2024-24773? |
|------------------|-------------------------------------------|
| < 3..4 | Yes |
| 3..4 | No (fixed) |
| 3.1. | Yes |
| 3.1.1+ | No (fixed) |

Remediation

Superset maintainers have provided a fix in version 3.1.1. Users should upgrade as soon as possible.

To upgrade with pip

pip install --upgrade apache-superset

On Docker Compose

docker-compose pull
docker-compose up -d

Apache Superset security advisories:

https://github.com/apache/superset/security/advisories/GHSA-xxxx-xxxx-xxxx *(Replace with actual)*

Public CVE database:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24773

Superset Release Notes 3.1.1:

https://github.com/apache/superset/releases/tag/3.1.1

Conclusion

CVE-2024-24773 is a serious bug that can let permitted Superset users break out of their data sandbox using nested SQL queries. Don’t delay: upgrade any affected Superset deployments to 3.1.1 or newer immediately and audit your deployments for similar issues. Remember that security is as much about following best practices as it is about keeping up to date.

Timeline

Published on: 02/28/2024 12:15:47 UTC
Last modified on: 02/28/2024 15:15:09 UTC