PT-2023-14020 · Apache · Apache Superset
Daniel Gaspar
+1
·
Published
2023-01-16
·
Updated
2025-04-08
·
CVE-2022-41703
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Superset versions 1.5.2 and prior
Apache Superset version 2.0.0
Description
A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag
ALLOW ADHOC SUBQUERY disabled.Recommendations
For Apache Superset versions 1.5.2 and prior, consider disabling the SQL Alchemy connector until a patch is available.
For Apache Superset version 2.0.0, consider disabling the SQL Alchemy connector until a patch is available.
As a temporary workaround, consider restricting access to the
WHERE and HAVING fields in the SQL Alchemy connector to minimize the risk of exploitation.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Superset