CVE-2023-37924: Apache Submarine SQL Injection Vulnerability

In the realm of machine learning, Apache Submarine stands out as a popular end-to-end platform, empowering data scientists to navigate the entire machine-learning workflow. However, a recent vulnerability, CVE-2023-37924, has emerged, posing a potential threat to data security.

CVE-2023-37924 is a critical Severity SQL Injection vulnerability found in Apache Submarine. SQL Injection is a type of attack that allows an attacker to interfere with the queries that an application makes to its database. It can result in unauthorized access and manipulation of data.

This vulnerability, discovered in Apache Submarine versions from 0.7.0 to before 0.8.0, poses a significant risk. It allows malicious actors to bypass login authentication, potentially leading to unauthorized access to sensitive data and system functionalities.

In response to this alarming discovery, Apache Submarine has promptly addressed the issue. The resolution includes:

• Upgrading to Apache Submarine 0.8.0: This not only resolves the SQL injection vulnerability but also enhances the platform with support for oidc authentication mode and eliminates unauthenticated logins.
• For Users Unable to Upgrade: Apache Submarine suggests cherry-picking the relevant PR [1, 2] and rebuilding the submarine-server image as an interim fix.

The discovery of CVE-2023-37924 in Apache Submarine highlights the ongoing challenges in securing advanced technology platforms. It’s a stark reminder for organizations and developers to remain vigilant, update their systems regularly, and prioritize security in their digital infrastructure.