CVE-2023-49736

CWE-89 — SQL Injection4 documents4 sources

Severity

8.8HIGH

EPSS

0.5%

top 34.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Superset Apache Superset

Timeline

PublishedDec 19

Description

A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/superset3.0.0 — 3.0.2+1

▶PyPIapache-superset3.0.0 — 3.0.2+1

▶CVEListV5apache_software_foundation/apache_superset3.0.0 — 3.0.2+1

🔴Vulnerability Details

CVEList

Apache Superset: SQL Injection on where_in JINJA macro↗2023-12-19

▶

GHSA

Apache Superset SQL injection vulnerability↗2023-12-19

▶

OSV

Apache Superset SQL injection vulnerability↗2023-12-19

▶