Apache Superset is a popular open-source data visualization and business intelligence platform for exploring and visualizing large datasets with ease. However, an Improper Authorization vulnerability has been discovered while the FAB_ADD_SECURITY_API feature is enabled in Apache Superset, which could potentially allow lower privilege users to exploit this API. This vulnerability affects Apache Superset versions from 2.. to versions prior to 4.1.. It is highly recommended for users to upgrade their Superset installations to version 4.1. or higher to fix this security issue.
Code Snippet
Below is a code snippet that illustrates the vulnerability when FAB_ADD_SECURITY_API is enabled in Apache Superset:
# app.py
class MyCustomSecurityManager(SecurityManager):
ADD_SECURITY_API = True
appbuilder = AppBuilder(
security_manager_class=MyCustomSecurityManager,
update_perms=True,
)
# security.py
from superset.security import SupersetSecurityManager
class CustomSupersetSecurityManager(SupersetSecurityManager):
def can_access(self, permission_name, view_name):
from superset import is_feature_enabled
if is_feature_enabled("FAB_ADD_SECURITY_API"):
return True
return super().can_access(permission_name, view_name)
Exploit Details
When the FAB_ADD_SECURITY_API feature is enabled (it is disabled by default), an attacker with lower privileges can exploit the vulnerability in Apache Superset and gain unauthorized access to protected resources. This is possible because the can_access function in the code snippet above will return True for every permission check, allowing users to bypass the proper authorization checks.
It's important to note that the FAB_ADD_SECURITY_API feature is disabled by default in Apache Superset. However, system administrators and developers may enable this feature inadvertently or without understanding the associated security risks.
Original References
The CVE-2024-53949 Improper Authorization vulnerability in Apache Superset was originally reported and documented by the Apache Superset team. The full release notes and relevant details can be found at the official Apache Superset GitHub repository:
- Apache Superset Release Notes: https://github.com/apache/superset/releases
- Apache Superset Documentation: https://superset.apache.org/docs/introduction
- Apache Superset Security Advisory: https://superset.apache.org/security
Conclusion
To protect against the CVE-2024-53949 Improper Authorization vulnerability in Apache Superset, users should update their Superset installations to version 4.1. or higher. It's also crucial for developers and system administrators to be aware of the security implications associated with enabling the FAB_ADD_SECURITY_API feature. By keeping software up-to-date, understanding features and security risks, and practicing good security hygiene, organizations can protect their data and minimize the potential impact of vulnerabilities in the tools they use.
Timeline
Published on: 12/09/2024 14:15:12 UTC
Last modified on: 12/09/2024 18:15:24 UTC