SQL injection in Apache Superset
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2021-41971 |
| CWE-ID | CWE-89 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Apache Superset Web applications / Other software |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) SQL injection
EUVDB-ID: #VU71205
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-41971
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can send a specially crafted HTTP request to the custom URL and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability requires that the Apache Superset is configured with enabled ENABLE_TEMPLATE_PROCESSIN option (disabled by default).
Install update from vendor's website.
Vulnerable software versionsApache Superset: 1.0.0 - 1.3.0
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
