CVE-2024-39887: Apache Superset Vulnerability Exposes Organizations to SQL Injection Attacks

Apache Superset, a popular open-source data exploration and visualization platform used by countless organizations worldwide, has been found to contain a SQL injection vulnerability (CVE-2024-39887). This vulnerability could allow attackers to bypass security measures and execute malicious SQL commands, potentially exposing sensitive data or compromising the entire system.

What’s the Problem?

The vulnerability stems from Superset’s improper neutralization of special elements used in SQL commands. Certain engine-specific functions are not checked, enabling attackers to craft malicious queries that slip through Superset’s SQL authorization mechanism. This leaves organizations vulnerable to unauthorized data access, manipulation, or even complete system takeover.

Who’s Affected?

The vulnerability affects all versions of Apache Superset prior to 4.0.2. Organizations utilizing this platform are strongly urged to assess their risk and take immediate action to protect their data and systems.

Mitigation Steps

To mitigate the risk, Apache has released Superset version 4.0.2, which addresses the vulnerability. Users are advised to upgrade to this version as soon as possible. Additionally, a new configuration key, DISALLOWED_SQL_FUNCTIONS, has been introduced to block the use of specific PostgreSQL functions known to be exploitable. Organizations can further enhance their security by adding additional functions to this list.