CVE-2024-24773

Published: Feb 28, 2024Modified: Feb 13, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1, which fixes the issue.

Affected (2)

Products: Apache: Superset

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apache Superset	Before 3.0.4
Apache Superset	From 3.1.0 to 3.1.1

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

http://www.openwall.com/lists/oss-security/2024/02/28/4

Source: security@apache.org

Mailing ListThird Party Advisory

https://lists.apache.org/thread/h66fy6nj41cfx07zh7l552w6dmtjh501

Source: security@apache.org

Mailing ListVendor Advisory

http://www.openwall.com/lists/oss-security/2024/02/28/4

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.apache.org/thread/h66fy6nj41cfx07zh7l552w6dmtjh501

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListVendor Advisory

Timeline

No history available yet.