Home

Description

Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable.  This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue.

PUBLISHED Reserved 2024-12-09 | Published 2024-12-12 | Updated 2025-02-12 | Assigner apache




HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-863 Incorrect Authorization

Product status

Default status
unaffected

Any version before 4.1.0
affected

Credits

Beto de Almeida remediation developer

Daniel Gaspar coordinator

James Ford (Striveworks) finder

References

www.openwall.com/lists/oss-security/2024/12/12/1

lists.apache.org/thread/bwmd17fcvljt9q4cgctp4v09zh3qs7fb vendor-advisory

cve.org (CVE-2024-55633)

nvd.nist.gov (CVE-2024-55633)

Download JSON