### #OpenSourceSecurity #BusinessIntelligenceRisks #DataProtectionAwareness
Summary: The Apache Software Foundation has released Apache Superset 4.1.0 to address three critical security vulnerabilities that could allow attackers to bypass security controls and access sensitive data. Users are urged to upgrade to this version to mitigate risks associated with these vulnerabilities.
Threat Actor: Unknown | unknown
Victim: Apache Superset Users | Apache Superset
Key Point :
- Three vulnerabilities identified: CVE-2024-53947 (SQL Injection), CVE-2024-53948 (Metadata Exposure), and CVE-2024-53949 (Authorization Bypass).
- CVE-2024-53947 allows attackers to execute arbitrary SQL queries due to improper authorization checks.
- CVE-2024-53948 exposes sensitive metadata through verbose error messages, aiding potential attackers.
- CVE-2024-53949 permits lower-privileged users to create new roles, escalating their privileges if the FAB_ADD_SECURITY_API is enabled.
- Users are advised to upgrade to version 4.1.0 and implement additional mitigations if immediate upgrades are not possible.
The Apache Software Foundation has announced the release of Apache Superset 4.1.0, an important update that addresses three significant security vulnerabilities affecting the widely used open-source business intelligence platform. These vulnerabilities, identified as CVE-2024-53947, CVE-2024-53948, and CVE-2024-53949, range in severity and could potentially allow attackers to bypass security controls, access sensitive data, and gain unauthorized privileges.
CVE-2024-53947: SQL Injection Vulnerability
This vulnerability stems from improper SQL authorization checks, specifically related to certain PostgreSQL functions. Attackers could exploit this flaw to bypass Superset’s security mechanisms and execute arbitrary SQL queries, potentially leading to data breaches and unauthorized access to sensitive information.
CVE-2024-53948: Metadata Exposure
This vulnerability arises from the excessive verbosity of error messages generated by Superset. Under certain conditions, these error messages could inadvertently expose metadata about the underlying analytics database, potentially providing attackers with valuable information for further exploitation.
CVE-2024-53949: Authorization Bypass
This vulnerability affects Superset deployments where the FAB_ADD_SECURITY_API is enabled (disabled by default). It allows lower-privileged users to exploit the API to create new roles, potentially escalating their privileges and gaining unauthorized access to sensitive functionalities.
Mitigation and Remediation
The Apache Software Foundation urges all Superset users to upgrade to version 4.1.0 immediately. This release includes comprehensive patches that address all three vulnerabilities.
In addition to upgrading, users can implement the following mitigations:
- CVE-2024-53947: If upgrading is not immediately feasible, users can manually add the vulnerable PostgreSQL functions (
query_to_xml_and_xmlschema,table_to_xml, andtable_to_xml_and_xmlschema) to theDISALLOWED_SQL_FUNCTIONSconfiguration setting. - CVE-2024-53949: Ensure that the
FAB_ADD_SECURITY_APIis disabled if not explicitly required.
Related Posts:
Source: https://securityonline.info/apache-superset-patches-multi-security-flaws-in-latest-release