A quarter dozen of vulnerabilities affecting Apache Superset has been surfaced recently provoking immediate response from the organizations that’s using this application.
Apache Superset: Privilege Escalation Vulnerability
CVE-2023-49734 with a CVSS score of 7.7, a privilege escalation vulnerability. By simply creating and adding charts to a dashboard, this user can gain unauthorized write permissions, potentially modifying sensitive data or even granting themselves admin access. This vulnerability affects versions 2.1.0 and earlier, as well as 3.0.0 before 3.0.2.
Apache Superset: SQL Injection on wherein JINJA macro
CVE-2023-49736 with a CVSS score of 6.5, throws open the door to SQL injection. This means a crafty attacker could exploit a specific JINJA macro to inject malicious code into your data queries. Imagine a seemingly harmless dashboard displaying corrupted data, manipulating results, or even revealing confidential information. This vulnerability also affects versions 2.1.0 and earlier, as well as 3.0.0 before 3.0.2.
Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb.
Finally, CVE-2023-46104 with a CVSS score of 6.5, introduces the “ZIP bomb” threat. An attacker could upload a specially crafted ZIP file, disguised as a database, dashboard, or dataset. When processed by Apache Superset, this file would rapidly expand, consuming excessive memory and CPU resources, potentially crashing your system and disrupting data access. This vulnerability affects all versions up to and including 2.1.2 and versions 3.0.0 and 3.0.1.
Apache Superset has issued patches to address these vulnerabilities. To stay secure, upgrade to version 3.0.2 or 2.1.3, depending on your environment. Implement security best practices like user privilege management, data validation, and input filtering to further protect your valuable data.
