CVE-2024-55633: Apache Superset Vulnerability Exposes Sensitive Data to Unauthorized Modification

A newly discovered vulnerability in Apache Superset, a popular open-source business intelligence platform, could allow attackers to gain unauthorized write access to sensitive data. Tracked as CVE-2024-55633 and assigned a CVSS score of 7.1 (High), the flaw stems from improper validation of read-only queries in the platform’s SQLLab feature.

Superset’s SQLLab provides a powerful interface for users to explore and visualize data using SQL queries. However, due to this vulnerability, attackers with SQLLab access can craft malicious SQL statements that bypass the read-only restrictions, enabling them to modify or delete data.

“On Postgres analytic databases, an attacker with SQLLab access can craft a specially designed SQL DML statement that is incorrectly identified as a read-only query, enabling its execution,” explains the official vulnerability advisory.

The vulnerability affects all versions of Apache Superset prior to 4.1.0. Fortunately, the Apache Superset development team has addressed the issue in version 4.1.0.

Users are strongly urged to upgrade to Apache Superset 4.1.0 immediately to mitigate the risk of exploitation.

Organizations using Superset should prioritize patching their systems to prevent potential data breaches and ensure the integrity of their business intelligence operations.

Related Posts:

• Multi Vulnerabilities Found in Apache Superset
• Apache Superset Patches Multi Security Flaws in Latest Release
• Critical Vulnerabilities Found in Apache Superset: Upgrade Urged
• Critical-Severity Vulnerability Found in Apache Superset
• Apache Superset Arbitrary File Read Vulnerability, PoC Published