A recent security review of Apache Superset, an open-source data visualization and exploration platform, has uncovered vulnerabilities that allowed attackers to bypass security restrictions and execute SQL injections.
This discovery highlights concerns over the robustness of the application’s safeguards against malicious SQL queries.
While Apache Superset is widely utilized for creating dashboards and analytics, this finding underscores the need for continuous security vigilance.
Understanding the Vulnerability
Apache Superset enables users to perform SQL queries and visualize data without direct database management.
However, the security mechanisms in place to prevent misuse, such as executing arbitrary SQL queries, were found to be inadequate during an audit.
The review team discovered that two API endpoints (/superset/explore_json/ and /api/v1/chart/data) could be exploited to bypass query validation checks.
Key functions in Superset’s source code, such as validate_adhoc_subquery() and has_table_query(), are responsible for detecting and blocking unauthorized subqueries.
However, by analyzing PostgreSQL’s documentation, researchers identified that certain PostgreSQL functions, like query_to_xml(query text, nulls boolean, table forest boolean, targets text), could be exploited.
These functions convert SQL query results into XML but inadvertently allow malicious queries to be executed by treating them as function parameters rather than actual SQL commands.
This bypassed the security checks implemented in the code.
Discovery and Reporting Process
The vulnerabilities were found using a combination of application/API analysis and database documentation review.
The team set up a testing environment with Apache Superset (version 4.0.1).
It demonstrated that the platform’s parsing logic, powered by the SQL parse library failed to detect malicious queries when passed as function parameters.
After identifying the issue, the findings were reported to Apache’s security team on May 20, 2024. The Apache Superset team acknowledged the vulnerabilities and began working on fixes.
While one injection point (/api/v1/chart/data) and the first PostgreSQL function (query_to_xml) were being addressed, additional functions that could also enable attacks were highlighted by researchers.
These included query_to_xml_and_xmlschema(), table_to_xml(), and others.
Version 4.0.2 deployed a patch for the initial vulnerabilities, and further improvements were planned for version 4.1.0.
Future Implications and Mitigation
This incident illustrates the challenges of securing platforms that enable dynamic SQL queries.
Apache Superset users are advised to update their installations to patched versions and review their configurations for additional safeguards.
The vulnerability was tracked under CVE-2024-39887, with recommended updates and configurations expected to be detailed in Apache Superset’s forthcoming security advisory.
Organizations using tools like Superset should adopt a proactive approach to security by conducting regular audits, adopting the principle of least privilege for databases, and keeping software dependencies up to date.
This case serves as a reminder of the critical role that secure coding practices and thorough testing play in preventing exploitation.
Also Read:
.webp?w=1200&resize=1200,0&ssl=1&description=This discovery highlights concerns over the robustness of the application's safeguards against malicious SQL queries.){kind=link}