CVE-2022-41703: Critical-Severity Vulnerability Found in Apache Superset

CVE-2022-41703

Seven security advisories for the Apache Superset open-source Data visualization and data exploration platform have been released after researchers determined that they contained vulnerabilities.

Apache Superset is a modern data exploration and data visualization platform. Superset can replace or augment proprietary business intelligence tools for many teams. Superset integrates well with a variety of data sources.

A critical-severity SQL injection vulnerability in the SQL Alchemy connector of Apache Superset (CVE-2022-41703) was said to affect version 1.5.2 and prior versions and version 2.0.0.

“A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag “ALLOW_ADHOC_SUBQUERY” disabled (default value),” Superset developers wrote in an advisory.

CVE-2022-41703 was addressed with the release of Superset 1.5.3 and 2.0.1. A temporary workaround hasn’t been made available, Superset developers have described it as “critical” and advised users to install the updates as soon as possible.

Two moderate-severity flaws in Superset tracked as CVE-2022-43719 and CVE-2022-43721. The former is a cross-site request forgery (CSRF) while the latter is an open redirect vulnerability.

An additional 4 low-severity vulnerabilities were resolved –

  • CVE-2022-43720: An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record.
  • CVE-2022-43718: Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions.
  • CVE-2022-45438: When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint.
  • CVE-2022-43717: Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions.

The issues were identified by Positive Technologies and Sunny Alexli and affected version 1.5.2 and prior versions and version 2.0.0, and they were patched with the release of versions 1.5.3 and 2.0.1.