Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-39887

CWE-89SQL Injection6 documents5 sources
Severity
9.8CRITICAL
EPSS
64.8%
top 1.54%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache Software Foundation Apache SupersetApache Superset
Timeline
PublishedJul 16
Latest updateDec 9

Description

An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions: version, query_to_xml, inet_server_addr, and inet_client_addr. Additional f

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

NVDapache/superset< 4.0.2
PyPIapache-superset< 4.0.2

🔴Vulnerability Details

4
GHSA
Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions2024-12-09
GHSA
Apache Superset vulnerable to improper SQL authorization2024-07-16
CVEList
Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions2024-07-16
OSV
Apache Superset vulnerable to improper SQL authorization2024-07-16

💥Exploits & PoCs

1
Nuclei
Apache Superset < 4.0.2 - SQL Injection
CVE-2024-39887 (CRITICAL CVSS 9.8) | An SQL Injection vulnerability in A | cvebase.io