CVE-2024-53947

Name of the Vulnerable Software and Affected Versions: Apache Superset versions prior to 4.1.0

Description: The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, allowing attackers to bypass SQL authorization. The affected functions include query to xml and xmlschema, table to xml, and table to xml and xmlschema. This vulnerability may allow a remote attacker to execute arbitrary SQL code.

Recommendations: For versions prior to 4.1.0, upgrade to version 4.1.0 to fix the issue. Alternatively, add the Postgres functions query to xml and xmlschema, table to xml, and table to xml and xmlschema to the config set DISALLOWED SQL FUNCTIONS as a temporary workaround.