CVE-2024-34693

2024-06-2009:15:11

CWE-20

[email protected]

web.nvd.nist.gov

apache superset

input validation

vulnerability

mariadb

local infile

sql command

upgrade

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it’s possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0

Users are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue.

Affected configurations

Vulners

Node

apachesupersetRange≤3.1.3

apachesupersetRange≤4.0.1

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Superset",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "3.1.3",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThan": "4.0.1",
        "status": "affected",
        "version": "4.0.0",
        "versionType": "semver"
      }
    ]
  }
]