CVE-2024-34693

Name of the Vulnerable Software and Affected Versions Apache Superset versions prior to 3.1.3 Apache Superset version 4.0.0

Description The issue is related to improper input validation in Apache Superset, allowing an authenticated attacker to create a MariaDB connection with local infile enabled. If both the MariaDB server and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL command that can read files from the server and insert their content into a MariaDB database table.

Recommendations For Apache Superset versions prior to 3.1.3, upgrade to version 3.1.3 to fix the issue. For Apache Superset version 4.0.0, upgrade to version 4.0.1 to fix the issue. As a temporary workaround, consider disabling the local infile option in the MariaDB connection to minimize the risk of exploitation. Restrict access to the MariaDB database table to prevent unauthorized data insertion. Avoid using the local mysql client on the web server to connect to the MariaDB server until the issue is resolved.