Summary:
A fresh SQL Injection vulnerability—CVE-2024-53947—has just hit Apache Superset, affecting all versions below 4.1.. This new issue expands on CVE-2024-39887 and exposes more PostgreSQL-specific functions, letting attackers bypass critical SQL authorization checks. Here’s a deep dive into what’s going on, how it can be exploited, and—importantly—how to fix it.

What’s Going On?

Apache Superset is a powerful open-source data visualization platform. To help prevent SQL Injection, Superset maintains a “block list” of dangerous SQL functions. However, recent research shows that specific PostgreSQL functions—namely, query_to_xml_and_xmlschema, table_to_xml, and table_to_xml_and_xmlschema—weren’t blocked, letting attackers smuggle in unauthorized SQL queries.

Explaining the Problem

SQL Injection happens when user input is not properly filtered, letting attackers run unwanted SQL commands. In this case, by abusing poorly checked PostgreSQL XML functions, even non-admin users could run queries outside the intended limits—meaning they could reach data or change information they shouldn’t have access to.

Exploit Example

Let’s say your organization’s Superset instance allows access to a dashboard, but restricts the tables a user can query. Using this bug, a crafty attacker could craft a payload embedding one of the newly found functions to pivot around your security.

Example SQL payload using query_to_xml_and_xmlschema

SELECT query_to_xml_and_xmlschema(
  'SELECT secret_column FROM restricted_table', 
  false, 
  false, 
  ''  -- No additional schema
);

If this function is not explicitly blocked, it executes, extracting data from restricted_table, which the attacker shouldn’t have accessed.

`

4. The database dumps the target table’s data in XML, bypassing normal row-level and table restrictions.

Why Was This Missed Before?

The original block list in Apache Superset focused on obvious and general-purpose functions. These PostgreSQL XML functions, however, were more obscure and not initially included—despite their potential for abuse. This led to the need for a follow-up fix (this CVE) after the previous patch (CVE-2024-39887).

How to Fix & Protect Yourself

The good news:
Upgrading to Superset 4.1. patches this vulnerability fully. Not everyone can upgrade immediately, though—so here’s an interim fix.

In your superset_config.py, add these functions to the DISALLOWED_SQL_FUNCTIONS set

DISALLOWED_SQL_FUNCTIONS = {
    # Existing forbidden functions...
    "query_to_xml_and_xmlschema",
    "table_to_xml",
    "table_to_xml_and_xmlschema",
}

*Restart your Superset server after making changes!*

Follow the upgrade docs to bump your install to 4.1.+

- Superset Upgrade Guide

References

- Apache Superset Security Advisory GHSA-xcvj-77gq-hvjq
- NVD Entry for CVE-2024-39887
- Superset Release Notes

Final Word

Don’t wait to patch.
SQL Injection is one of the most dangerous and straightforward ways attackers can compromise data-driven platforms like Superset. Even if your environment runs behind a VPN or is “internal only,” these kinds of bugs have a way of leaking into the wild. Upgrade to 4.1. or add those functions to your block list—do it now.

If you’re unsure of your exposure, check your version, review your DISALLOWED_SQL_FUNCTIONS, and restrict SQL Lab access to trusted users only.

Stay safe—don’t let attackers feast on your Superset instance.

*This post contains original explanations and simple breakdowns of a fast-evolving security threat. For in-depth details, consult Superset’s GitHub and always follow the official advisories!*

Timeline

Published on: 12/09/2024 14:15:12 UTC