Apache Superset Patches Multi Security Flaws in Latest Release

CVE-2024-53947, CVE-2024-53948, and CVE-2024-53949

The Apache Software Foundation has announced the release of Apache Superset 4.1.0, an important update that addresses three significant security vulnerabilities affecting the widely used open-source business intelligence platform. These vulnerabilities, identified as CVE-2024-53947, CVE-2024-53948, and CVE-2024-53949, range in severity and could potentially allow attackers to bypass security controls, access sensitive data, and gain unauthorized privileges.

CVE-2024-53947: SQL Injection Vulnerability

This vulnerability stems from improper SQL authorization checks, specifically related to certain PostgreSQL functions. Attackers could exploit this flaw to bypass Superset’s security mechanisms and execute arbitrary SQL queries, potentially leading to data breaches and unauthorized access to sensitive information.

CVE-2024-53948: Metadata Exposure

This vulnerability arises from the excessive verbosity of error messages generated by Superset. Under certain conditions, these error messages could inadvertently expose metadata about the underlying analytics database, potentially providing attackers with valuable information for further exploitation.

CVE-2024-53949: Authorization Bypass

This vulnerability affects Superset deployments where the FAB_ADD_SECURITY_API is enabled (disabled by default). It allows lower-privileged users to exploit the API to create new roles, potentially escalating their privileges and gaining unauthorized access to sensitive functionalities.

Mitigation and Remediation

The Apache Software Foundation urges all Superset users to upgrade to version 4.1.0 immediately. This release includes comprehensive patches that address all three vulnerabilities.

In addition to upgrading, users can implement the following mitigations:

  • CVE-2024-53947: If upgrading is not immediately feasible, users can manually add the vulnerable PostgreSQL functions (query_to_xml_and_xmlschema, table_to_xml, and table_to_xml_and_xmlschema) to the DISALLOWED_SQL_FUNCTIONS configuration setting.
  • CVE-2024-53949: Ensure that the FAB_ADD_SECURITY_API is disabled if not explicitly required.

Related Posts: