CVE-2024-39887

Name of the Vulnerable Software and Affected Versions: Apache Superset versions prior to 4.0.2

Description: The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. The vulnerability is associated with the version, query to xml, inet server addr, and inet client addr functions.

Recommendations: To mitigate this issue, upgrade to version 4.0.2, which fixes the issue. As a temporary workaround, consider introducing a new configuration key named DISALLOWED SQL FUNCTIONS to disallow the use of the following PostgreSQL functions: version, query to xml, inet server addr, and inet client addr. Additional functions can be added to this list for increased protection.