Critical Vulnerabilities Found in Apache Superset: Upgrade Urged
In the world of data visualization and business intelligence, Apache Superset stands out as a modern, enterprise-ready web application. Renowned for its speed, lightness, and intuitive design, it empowers users across various skill levels to delve into data visualization, from basic pie charts to intricate deck.gl geospatial charts. However, even the most robust applications are not immune to security threats. Recently, three significant vulnerabilities in Apache Superset have come to light, underscoring the importance of continuous vigilance in cybersecurity.
1. CVE-2023-43701: Stored Cross-Site Scripting (XSS)
The first of these vulnerabilities, CVE-2023-43701, exposes a critical weakness in Apache Superset – Stored Cross-Site Scripting (XSS). Due to improper payload validation and an inadequate REST API response type, an authenticated malicious actor could inject harmful code into a Chart’s metadata. This code could be executed when a user accesses a specific deprecated API endpoint. Affecting versions prior to 2.1.2, this vulnerability highlights the subtleties of web application security.
Users are urged to upgrade to Apache Superset version 2.1.2, which rectifies this vulnerability, thereby fortifying their data visualization environment against this XSS exploit.
2. CVE-2023-40610: Escalation of Privileges
The second vulnerability, CVE-2023-40610, presents a privilege escalation risk in Apache Superset versions up to but excluding 2.1.2. Leveraging the default examples database connection, which provides access to both the examples schema and Apache Superset’s metadata database, an attacker could exploit this flaw using a specially crafted CTE SQL statement. This tactic could lead to alterations in the metadata database, potentially compromising authentication and authorization data.
To prevent any unauthorized escalation of privileges, users should immediately upgrade their Apache Superset installation to version 2.1.2 or higher.
3. CVE-2023-42501: Unwarranted Read Permissions within the Gamma Role
The third vulnerability, CVE-2023-42501, pertains to excessive read permissions within the Gamma role. This oversight could allow authenticated users to access configured CSS templates and annotations, which should typically be restricted. This issue impacts Apache Superset versions before 2.1.2.
Users should update to version 2.1.2 or later and execute `superset init` to reconfigure the Gamma role, or alternatively, remove the `can_read` permission from the affected resources.