SB2024013158 - Multiple vulnerabilities in Apache Superset
Published: January 31, 2024 Updated: June 21, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2023-32672)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and query database tables they do not have access to.
2) Code Injection (CVE-ID: CVE-2023-37941)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when processing metadata. A remote user with write access to the Apache Superset metadata database can inject a specially crafted Python code and execute it on Superset's web backend.
3) Improper access control (CVE-ID: CVE-2023-39265)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions when using alternative driver names or database imports. A remote user can bypass implemented security restrictions and gain unauthorized access to the application, or create files on on Superset webservers. This can result in remote code execution.
4) Information disclosure (CVE-ID: CVE-2023-39264)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the REST API endpoints. A remote attacker can gain unauthorized access to sensitive information on the system.
5) Improper access control (CVE-ID: CVE-2023-27526)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and create resources using the import charts feature.
6) Missing authorization (CVE-ID: CVE-2023-27523)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to missing authorization check on Jinja templated queries. A remote user can bypass implemented security restrictions and issue queries to database tables they have no access to.7) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2023-36388)
The disclosed vulnerability allows a remote user to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input. A remote Gamma user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
8) Improper access control (CVE-ID: CVE-2023-36387)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote Gamma user can bypass implemented security restrictions and test database connections via REST API.
Remediation
Install update from vendor's website.
References
- https://lists.apache.org/thread/ococ6nlj80f0okkwfwpjczy3q84j3wkp
- https://lists.apache.org/thread/6qk1zscc06yogxxfgz2bh2bvz6vh9g7h
- http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html
- https://lists.apache.org/thread/pwdzsdmv4g5g1n2h9m7ortfnxmhr7nfy
- https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75
- https://lists.apache.org/thread/ndww89yl2jd98lvn23n9cj722lfdg8dv
- https://lists.apache.org/thread/3y97nmwm956b6zg3l8dh9oj0w7dj945h
- https://lists.apache.org/thread/ccmjjz4jp17yc2kcd18qshmdtf7qorfs
- https://lists.apache.org/thread/tt6s6hm8nv6s11z8bfsk3r3d9ov0ogw3
- https://github.com/apache/superset/pull/24185