PT-2024-20550 · Apache · Apache Superset

Linden Haynes

Published

2024-02-28

Updated

2025-02-12

CVE-2024-24772

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache Superset versions prior to 3.0.4 Apache Superset versions 3.1.0 through 3.1.0

Description A guest user could exploit a chart data REST API and send arbitrary SQL statements that, on error, could leak information from the underlying analytics database.

Recommendations For Apache Superset versions prior to 3.0.4, upgrade to version 3.0.4. For Apache Superset versions 3.1.0, upgrade to version 3.1.1.

Fix

SQL injection

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89CWE-20

Related Identifiers

BIT-SUPERSET-2024-24772

CVE-2024-24772

GHSA-M6JM-3V38-76J4

Affected Products

Apache Superset

PT-2024-20550 · Apache · Apache Superset

CVE-2024-24772

Weakness Enumeration

Related Identifiers

Affected Products

References · 12