CVE-2024-53947 (GCVE-0-2024-53947)
Vulnerability from cvelistv5
Published
2024-12-09 13:35
Modified
2024-12-09 15:05
CWE
  • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema. This issue affects Apache Superset: <4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set DISALLOWED_SQL_FUNCTIONS.
References
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-53947",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-09T15:05:04.575998Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-09T15:05:21.361Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Superset",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "4.1.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Iv\u00e1n Arce (Quarkslab)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Daniel Gaspar"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Mathieu Farrell (Quarkslab)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset\u0027s SQL authorization. This issue is a follow-up to\u0026nbsp;CVE-2024-39887 with additional disallowed PostgreSQL functions now included:\u0026nbsp;query_to_xml_and_xmlschema,\u0026nbsp;table_to_xml,\u0026nbsp;table_to_xml_and_xmlschema.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Superset: \u0026lt;4.1.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set\u0026nbsp;DISALLOWED_SQL_FUNCTIONS.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset\u0027s SQL authorization. This issue is a follow-up to\u00a0CVE-2024-39887 with additional disallowed PostgreSQL functions now included:\u00a0query_to_xml_and_xmlschema,\u00a0table_to_xml,\u00a0table_to_xml_and_xmlschema.\n\nThis issue affects Apache Superset: \u003c4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set\u00a0DISALLOWED_SQL_FUNCTIONS."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-09T13:35:09.910Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-53947",
    "datePublished": "2024-12-09T13:35:09.910Z",
    "dateReserved": "2024-11-25T10:23:29.712Z",
    "dateUpdated": "2024-12-09T15:05:21.361Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-53947\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2024-12-09T14:15:12.267\",\"lastModified\":\"2025-07-15T16:29:47.873\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset\u0027s SQL authorization. This issue is a follow-up to\u00a0CVE-2024-39887 with additional disallowed PostgreSQL functions now included:\u00a0query_to_xml_and_xmlschema,\u00a0table_to_xml,\u00a0table_to_xml_and_xmlschema.\\n\\nThis issue affects Apache Superset: \u003c4.1.0.\\n\\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set\u00a0DISALLOWED_SQL_FUNCTIONS.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de neutralizaci\u00f3n inadecuada de elementos especiales utilizados en un comando SQL (\\\"Inyecci\u00f3n SQL\\\") en Apache Superset. En concreto, no se comprueban determinadas funciones espec\u00edficas del motor, lo que permite a los atacantes eludir la autorizaci\u00f3n SQL de Apache Superset. Este problema es una continuaci\u00f3n de CVE-2024-39887, con funciones PostgreSQL adicionales no permitidas ahora incluidas: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema. Este problema afecta a Apache Superset: \u0026lt;4.1.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 4.1.0, que corrige el problema o a\u00f1adir estas funciones Postgres al conjunto de configuraci\u00f3n DISALLOWED_SQL_FUNCTIONS.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.3,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.1.0\",\"matchCriteriaId\":\"AC65F8D5-0891-46F7-A309-52DCDD75CF42\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-53947\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-09T15:05:04.575998Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-09T15:05:10.216Z\"}}], \"cna\": {\"title\": \"Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Iv\\u00e1n Arce (Quarkslab)\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Daniel Gaspar\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Mathieu Farrell (Quarkslab)\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 2.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Superset\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.1.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset\u0027s SQL authorization. This issue is a follow-up to\\u00a0CVE-2024-39887 with additional disallowed PostgreSQL functions now included:\\u00a0query_to_xml_and_xmlschema,\\u00a0table_to_xml,\\u00a0table_to_xml_and_xmlschema.\\n\\nThis issue affects Apache Superset: \u003c4.1.0.\\n\\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set\\u00a0DISALLOWED_SQL_FUNCTIONS.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eImproper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset\u0027s SQL authorization. This issue is a follow-up to\u0026nbsp;CVE-2024-39887 with additional disallowed PostgreSQL functions now included:\u0026nbsp;query_to_xml_and_xmlschema,\u0026nbsp;table_to_xml,\u0026nbsp;table_to_xml_and_xmlschema.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Superset: \u0026lt;4.1.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set\u0026nbsp;DISALLOWED_SQL_FUNCTIONS.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2024-12-09T13:35:09.910Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-53947\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-09T15:05:21.361Z\", \"dateReserved\": \"2024-11-25T10:23:29.712Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2024-12-09T13:35:09.910Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…

Loading…