apache-superset
Opgelost in
1.4.2
1.4.2
CVE-2022-27479 describes a critical SQL injection vulnerability affecting Apache Superset versions up to 1.4.1. This flaw allows attackers to inject malicious SQL code into chart data requests, potentially leading to unauthorized data access and manipulation. Affected users should immediately upgrade to version 1.4.2 or later to address this security risk. A patch has been released to resolve the issue.
The SQL injection vulnerability in Apache Superset allows an attacker to craft malicious chart data requests that execute arbitrary SQL queries against the underlying database. Successful exploitation could result in the extraction of sensitive data, including user credentials, financial information, and business-critical data stored within the database. Depending on the database permissions granted to the Superset user, an attacker might also be able to modify or delete data, or even gain control of the database server itself. This vulnerability is particularly concerning given Superset's role in data visualization and business intelligence, where access to sensitive data is common. The impact could be catastrophic, leading to data breaches, financial losses, and reputational damage.
CVE-2022-27479 was publicly disclosed on April 13, 2022. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target for attackers. The vulnerability is not currently listed on CISA's KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of exploiting this flaw. Organizations should prioritize patching to prevent potential compromise.
Organizations utilizing Apache Superset for data visualization and business intelligence are at risk, particularly those running versions prior to 1.4.2. Environments with sensitive data stored in the database, such as financial records or user credentials, face a heightened risk of compromise. Shared hosting environments where multiple users share the same Superset instance are also particularly vulnerable.
• python / server:
import requests
import urllib.parse
url = "http://localhost:8888/superset/chart/" # Replace with your Superset URL
payload = "' OR 1=1 -- "
# Construct the malicious URL
params = {'slice_id': payload}
full_url = url + str(params)
# Send the request
response = requests.get(full_url)
# Check for SQL injection indicators in the response
if "SELECT" in response.text:
print("Possible SQL injection detected!")
else:
print("No SQL injection detected.")• generic web:
curl -s -X GET "http://your-superset-host/superset/chart/?slice_id=test' OR 1=1 -- " | grep -i "select"disclosure
patch
Exploit Status
EPSS
4.33% (89% percentiel)
CVSS-vector
The primary mitigation for CVE-2022-27479 is to upgrade Apache Superset to version 1.4.2 or higher, which includes the necessary fix. If an immediate upgrade is not feasible due to compatibility issues or downtime constraints, consider implementing temporary workarounds. These might include restricting access to Superset dashboards containing sensitive data, carefully reviewing and validating all user inputs, and implementing stricter database access controls for the Superset user. Web application firewalls (WAFs) configured to detect and block SQL injection attempts can also provide an additional layer of protection. After upgrading, verify the fix by attempting to craft a simple SQL injection payload within a chart data request and confirming that it is properly sanitized and does not execute arbitrary SQL.
Actualice Apache Superset a la versión 1.4.2 o superior. Esta versión contiene la corrección para la vulnerabilidad de inyección SQL. La actualización se puede realizar a través del gestor de paquetes de Python (pip) o siguiendo las instrucciones de actualización proporcionadas por Apache Superset.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2022-27479 is a critical SQL injection vulnerability in Apache Superset versions up to 1.4.1, allowing attackers to execute malicious SQL code.
Yes, if you are running Apache Superset versions 1.4.1 or earlier, you are vulnerable to this SQL injection flaw.
Upgrade Apache Superset to version 1.4.2 or higher to resolve the vulnerability. Consider temporary workarounds if an immediate upgrade is not possible.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a high-priority target.
Refer to the Apache Superset security advisory for detailed information and updates: https://superset.apache.org/docs/security
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.