A recent vulnerability has been discovered in Apache Superset, an open-source data exploration, and visualization platform. This vulnerability, listed as CVE-2024-53947, exposes an "Improper Neutralization of Special Elements used in an SQL Command" (also known as 'SQL Injection') in the platform. This security flaw permits attackers to bypass Apache Superset's SQL authorization mechanisms by injecting malicious queries through certain engine-specific functions that were not properly checked.
Original Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53947
This vulnerability is closely related to an earlier instance, CVE-2024-39887, as they both share the same underlying root cause. As a follow-up to the previous vulnerability, CVE-2024-53947 now includes some additional PostgreSQL functions that were excluded from the prior fix:
Affected Versions: Apache Superset <4.1.
To ensure the security of your Apache Superset installation, it's strongly recommended that you upgrade to version 4.1., which contains patches that address this vulnerability. Alternatively, you can add these PostgreSQL functions to the config set DISALLOWED_SQL_FUNCTIONS to mitigate the issue in the meantime.
Here is a code snippet example to show how to add these Postgres functions to the config set DISALLOWED_SQL_FUNCTIONS.
# superset_config.py
...
# Add the PostgreSQL functions to the list of disallowed SQL functions
DISALLOWED_SQL_FUNCTIONS = {
'query_to_xml_and_xmlschema',
'table_to_xml',
'table_to_xml_and_xmlschema',
...
}
Make sure to restart your Apache Superset instance after applying these changes to your configuration file.
This vulnerability highlights the importance of keeping your software up-to-date and regularly monitoring security announcements to protect your data and maintain operational integrity. By being diligent and attentive to security warnings such as this one, you can greatly minimize the risk of potential security breaches and safeguard the well-being of your organization.
Timeline
Published on: 12/09/2024 14:15:12 UTC