CVE-2024-39887

Source
https://cve.org/CVERecord?id=CVE-2024-39887
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39887.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-39887
Aliases
Published
2024-07-16T09:20:10.688Z
Modified
2026-07-08T06:27:31.069664355Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions
Details

An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWEDSQLFUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions: version, querytoxml, inetserveraddr, and inetclientaddr. Additional functions can be added to this list for increased protection.

This issue affects Apache Superset: before 4.0.2.

Users are recommended to upgrade to version 4.0.2, which fixes the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39887.json",
    "cna_assigner": "apache",
    "cwe_ids": [
        "CWE-89"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "4.0.2"
                }
            ],
            "source": "AFFECTED_FIELD"
        },
        {
            "source": "DESCRIPTION",
            "extracted_events": [
                {
                    "fixed": "4.0.2"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/apache/superset

Affected ranges

Type
GIT
Repo
https://github.com/apache/superset
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.0.2"
        }
    ]
}

Affected versions

0.*
0.10.0
0.11.0
0.12.0
0.13.1
0.13.2
0.14.1
0.15.0
0.15.1
0.15.3
0.15.4
0.15.4.1
0.16.0
0.16.1
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.17.5
0.17.6
0.18.2
0.18.3
0.18.4
0.18.5
0.19.1
0.2.1
0.20.1
0.25-fork
0.29.0rc1
0.4.0
0.5.0
0.5.1
0.5.2
0.5.3
0.6.0
0.6.1
0.7.0
0.8.0
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.9.0
0.9.1
2020.*
2020.51.1
4.*
4.0.0
4.0.0rc1
4.0.0rc2
4.0.1
4.0.1rc1
4.0.2rc1
airbnb_prod.*
airbnb_prod.0.10.0.2
airbnb_prod.0.11.0.1
airbnb_prod.0.11.0.2
airbnb_prod.0.11.0.3
airbnb_prod.0.11.0.4
airbnb_prod.0.11.0.5
airbnb_prod.0.11.0.6
airbnb_prod.0.12.0.1
airbnb_prod.0.12.1.0
airbnb_prod.0.13.0.0
airbnb_prod.0.13.0.1
airbnb_prod.0.13.0.2
airbnb_prod.0.13.0.3
airbnb_prod.0.15.0.1
airbnb_prod.0.15.4.1
airbnb_prod.0.15.4.2
airbnb_prod.0.15.5.0
Other
dummy
rm
test_tag
superset-helm-chart-0.*
superset-helm-chart-0.1.0
superset-helm-chart-0.1.1
superset-helm-chart-0.1.2
superset-helm-chart-0.1.3
superset-helm-chart-0.1.4
superset-helm-chart-0.1.5
superset-helm-chart-0.1.6
superset-helm-chart-0.10.0
superset-helm-chart-0.10.1
superset-helm-chart-0.10.10
superset-helm-chart-0.10.11
superset-helm-chart-0.10.12
superset-helm-chart-0.10.13
superset-helm-chart-0.10.14
superset-helm-chart-0.10.15
superset-helm-chart-0.10.2
superset-helm-chart-0.10.3
superset-helm-chart-0.10.4
superset-helm-chart-0.10.5
superset-helm-chart-0.10.6
superset-helm-chart-0.10.7
superset-helm-chart-0.10.8
superset-helm-chart-0.10.9
superset-helm-chart-0.11.0
superset-helm-chart-0.11.1
superset-helm-chart-0.11.2
superset-helm-chart-0.12.0
superset-helm-chart-0.12.1
superset-helm-chart-0.12.2
superset-helm-chart-0.12.3
superset-helm-chart-0.12.4
superset-helm-chart-0.12.5
superset-helm-chart-0.2.0
superset-helm-chart-0.2.1
superset-helm-chart-0.3.0
superset-helm-chart-0.3.1
superset-helm-chart-0.3.10
superset-helm-chart-0.3.11
superset-helm-chart-0.3.12
superset-helm-chart-0.3.2
superset-helm-chart-0.3.3
superset-helm-chart-0.3.4
superset-helm-chart-0.3.5
superset-helm-chart-0.3.6
superset-helm-chart-0.3.7
superset-helm-chart-0.3.8
superset-helm-chart-0.3.9
superset-helm-chart-0.4.0
superset-helm-chart-0.5.0
superset-helm-chart-0.5.1
superset-helm-chart-0.5.10
superset-helm-chart-0.5.2
superset-helm-chart-0.5.3
superset-helm-chart-0.5.4
superset-helm-chart-0.5.5
superset-helm-chart-0.5.6
superset-helm-chart-0.5.7
superset-helm-chart-0.5.8
superset-helm-chart-0.5.9
superset-helm-chart-0.6.0
superset-helm-chart-0.6.1
superset-helm-chart-0.6.2
superset-helm-chart-0.6.3
superset-helm-chart-0.6.4
superset-helm-chart-0.6.5
superset-helm-chart-0.6.6
superset-helm-chart-0.7.0
superset-helm-chart-0.7.1
superset-helm-chart-0.7.2
superset-helm-chart-0.7.3
superset-helm-chart-0.7.4
superset-helm-chart-0.7.6
superset-helm-chart-0.7.7
superset-helm-chart-0.8.0
superset-helm-chart-0.8.1
superset-helm-chart-0.8.10
superset-helm-chart-0.8.2
superset-helm-chart-0.8.3
superset-helm-chart-0.8.4
superset-helm-chart-0.8.5
superset-helm-chart-0.8.6
superset-helm-chart-0.8.7
superset-helm-chart-0.8.8
superset-helm-chart-0.8.9
superset-helm-chart-0.9.0
superset-helm-chart-0.9.1
superset-helm-chart-0.9.2
superset-helm-chart-0.9.3
superset-helm-chart-0.9.4
v2020.*
v2020.51.0
v2021.*
v2021.10.0
v2021.13.0
v2021.15.0
v2021.17.0
v2021.18.0
v2021.19.0
v2021.20.0
v2021.21.0
v2021.22.0
v2021.23.0
v2021.23.1
v2021.24.0
v2021.25.0
v2021.27.0
v2021.27.1
v2021.29.0
v2021.3.0
v2021.31.0
v2021.34.0
v2021.35.0
v2021.36.0
v2021.36.5
v2021.38.0
v2021.40.0
v2021.41.0
v2021.5.0
v2021.5.1
v2021.6.0
v2021.7.0
v2021.8.0
v2021.9.0
v2021.9.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39887.json"