CVE-2024-53947

CWE-89SQL Injection4 documents4 sources
Severity
2.3LOW
EPSS
0.2%
top 55.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache SupersetApache Superset
Timeline
PublishedDec 9

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema. This issue affects Apache Superset: <4.1.0. Users are recommended to

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Affected Packages3 packages

NVDapache/superset< 4.1.0
PyPIapache-superset< 4.1.0

🔴Vulnerability Details

3
OSV
Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions2024-12-09
CVEList
Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions2024-12-09
GHSA
Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions2024-12-09
CVE-2024-53947 (LOW CVSS 2.3) | Improper Neutralization of Special | cvebase.io