The Apache Software Foundation has announced the release of Apache Superset 4.1.0 with several bug fixes that could potentially allow attackers to bypass security controls, access sensitive data, and gain unauthorized privileges.
The first vulnerability tracked as CVE-2024-53949 with a CVSS score of 7.6 affects Superset deployments where the FAB_ADD_SECURITY_API is enabled (disabled by default). It allows lower-privileged users to exploit the API to create new roles, potentially escalating their privileges and gaining unauthorized access to sensitive functionalities.
The second vulnerability tracked as CVE-2024-53948 with a CVSS score of 5.3 stems from the excessive verbosity of error messages generated by Superset. Under certain conditions, these error messages could inadvertently expose metadata about the underlying analytics database, potentially providing attackers with valuable information for further exploitation.
The third vulnerability tracked as CVE-2024-53947 with a CVSS score 2.3 stems from improper SQL authorization checks, specifically related to certain PostgreSQL functions. Attackers could exploit this flaw to bypass Superset’s security mechanisms and execute arbitrary SQL queries, potentially leading to data breaches and unauthorized access to sensitive information.
The Apache Software Foundation urges all Superset users to upgrade to version 4.1.0 immediately. This release includes comprehensive patches that address all three vulnerabilities.
Nice information ℹ️ 🌺