A recent security vulnerability, CVE-2024-24779, was discovered in Apache Superset affecting versions before 3..4 and 3.1. before 3.1.1. This flaw lets users with certain custom roles create “virtual datasets” and then access data they should never see—even if you thought your data permissions were locked down tight.
In this deep dive, we’ll break down how it works, how attackers can exploit it, and how to protect your Superset dashboards. You’ll also find real code snippets and links to the official advisory.
What is Apache Superset?
Apache Superset is an open-source platform for data analysis and visualization. It’s often used by companies to let non-technical users slice and dice data securely, using a system of datasets, databases, dashboards, and—most importantly—role-based access controls (RBAC).
Understanding the Vulnerability
Superset admins can create custom roles to finely control how users can view or edit datasets. Typically, a user needs very specific permissions like:
all data access
Intuitively, if a user does not have “All Data Access” or “All Database Access,” they shouldn’t be able to get at other users’ data.
Here’s where the bug creeps in: If you grant a user the custom role permission, can write on dataset, but don’t give them all data/database access, they can still create a virtual dataset that queries data they shouldn’t see. These unauthorized virtual datasets could then be used elsewhere in Superset—leaking data.
Here’s how a malicious-but-limited Superset user could attack
1. User is assigned a custom role with can write on dataset but NOT all data/database access.
2. User creates a new dataset but points it at a table or schema they technically should NOT be able to access directly.
3. Through ‘virtual datasets’, they write SQL queries that join or union together data—including protected datasets.
4. The dataset is now available in their workspace, and they can make charts or dashboards on unauthorized data.
Visual Diagram
+---------------------------+
| User w/ Custom Role |
+---------------------------+
|
(has can write on dataset)
|
Creates Virtual Dataset
|
(Points to hidden table)
|
Unauthorized Data Access!
Proof-of-Concept Code Snippet
Let’s imagine a user named limited_user who is only meant to see data from the public.sales table. But in the same database, there’s a secret private.hr_payroll table.
If given the (faulty) custom role, they could make a virtual dataset as below
-- This virtual dataset pulls from a restricted table!
SELECT *
FROM private.hr_payroll
WHERE employee_id = 101
Or, joining data from public and private tables
SELECT s.name, p.salary
FROM public.sales s
JOIN private.hr_payroll p ON s.employee_id = p.employee_id
All this, without the user ever getting “all data access”!
What This Means
Attackers don’t need superuser or admin access. All it takes is this subtle misconfiguration in your roles.
Version 3.1.1 or higher
Both plug this loophole so users can’t create virtual datasets over data they’re not supposed to see.
Update your Superset installation using pip or Docker
# For pip installations:
pip install apache-superset==3.1.1
# Or upgrade to the latest:
pip install apache-superset --upgrade
# For Docker:
# Update your Dockerfile or docker-compose.yml to the new version tag (3.1.1 or later).
Re-audit all custom roles in Security > List Roles.
- Make sure can write on dataset is only given to trusted users, and don’t grant extra permissions without understanding their scope.
Official References
- Apache Superset Security Advisory (CVE-2024-24779)
- GitHub Issue & Commit
- NVD CVE Detail Page
Summary
CVE-2024-24779 could let crafty users break your Superset security fence just by abusing the "can write on dataset" permission. If you use custom roles, update your Superset dashboards NOW to 3..4 or 3.1.1+.
Missing this patch could mean sensitive financials, HR data, or trade secrets slipping out through a back door.
Stay safe, update early, and double-check your roles!
Did you find this post helpful? Bookmark or share with your IT and data teams—this small permission bug could have meant a big breach.
Timeline
Published on: 02/28/2024 12:15:47 UTC
Last modified on: 02/28/2024 15:15:09 UTC