Multi Vulnerabilities Found in Apache Superset

Apache Superset Vulnerabilities

In the vast tableau of data visualization tools, Apache Superset shines bright, offering an enticing concoction of user-friendly features, agility, and rich customization options. With the capacity to paint a wide range of data portraits—from the simplest pie chart to intricate geospatial maps—it has carved a niche for itself among both neophytes and data professionals.

Recently, a series of vulnerabilities, ripe for exploitation, have surfaced in Apache Superset through version 2.1. These span from remote code execution risks to more subtle improper authorization issues.

The following are some of the most critical security vulnerabilities found in Apache Superset:

  • CVE-2023-37941: This vulnerability allows an attacker with write access to the Apache Superset metadata database to persist a specifically crafted Python object that may lead to remote code execution.
  • CVE-2023-39265: This vulnerability allows an attacker to register SQLite database connections without authorization. This could allow the attacker to create unexpected files on the Superset server or, if Superset is using a SQLite database for its metadata, could result in more severe vulnerabilities.
  • CVE-2023-39264: This vulnerability allows stack traces for errors to be exposed to users by default. This could allow attackers to gain information about the internal workings of Superset, which could be used to exploit other vulnerabilities.
  • CVE-2023-27526: This vulnerability allows a non-admin user to incorrectly create resources using the import charts feature. This could allow the attacker to gain unauthorized access to data or systems.
  • CVE-2023-27523: This vulnerability allows an authenticated user to issue queries on database tables they may not have access to. This could allow the attacker to gain unauthorized access to sensitive data.
  • CVE-2023-36388: This vulnerability allows an authenticated Gamma user to test network connections, which could be used to launch a reflected cross-site request forgery (CSRF) attack.
  • CVE-2023-36387: This vulnerability allows an authenticated Gamma user to test database connections. This could be used to identify vulnerabilities in the database that could be exploited by the attacker.
  • CVE-2023-32672: This vulnerability allows an authenticated user to query tables that they do not have proper access to within Superset. This can be exploited by leveraging a SQL parsing vulnerability.

Apache Superset has released patches for all of these vulnerabilities. Users are advised to update to the latest version of Apache Superset as soon as possible.

Apache Superset, with its myriad of features, offers significant advantages. However, these vulnerabilities shed light on the importance of security diligence even in the most advanced tools. Developers and administrators should be on the lookout for patches and updates, ensuring these gaps are promptly sealed, and keeping data visualization a delightful and secure experience.

Via: seclists