CVE-2021-41971
📋 TL;DR
This vulnerability allows authenticated attackers to perform SQL injection attacks in Apache Superset when template processing is enabled. It affects Apache Superset versions up to and including 1.3.0 configured with ENABLE_TEMPLATE_PROCESSING set to True, which is disabled by default.
💻 Affected Systems
- Apache Superset
📦 What is this software?
Superset by Apache
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious user could execute arbitrary SQL commands, potentially leading to data theft, data manipulation, or unauthorized access to the database.
Likely Case
Authenticated users with malicious intent could exploit this to extract or modify sensitive data from the underlying database.
If Mitigated
If ENABLE_TEMPLATE_PROCESSING is disabled (default), the vulnerability is not exploitable, limiting impact to misconfigured instances.
🎯 Exploit Status
Exploitation requires authenticated access and the vulnerable configuration to be enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.3.1 or later
Vendor Advisory: https://lists.apache.org/thread.html/rf7292731268c6c6e2196ae1583e32ac7189385364268f8d9215e8e6d%40%3Cdev.superset.apache.org%3E
Restart Required: Yes
Instructions:
1. Upgrade Apache Superset to version 1.3.1 or later. 2. Restart the Superset service to apply the patch.
🔧 Temporary Workarounds
Disable Template Processing
allSet ENABLE_TEMPLATE_PROCESSING to False in the Superset configuration to mitigate the vulnerability.
Edit superset_config.py or environment variable: ENABLE_TEMPLATE_PROCESSING=False
🧯 If You Can't Patch
- Ensure ENABLE_TEMPLATE_PROCESSING is set to False in the configuration.
- Restrict access to authenticated users and monitor for suspicious SQL queries in logs.
🔍 How to Verify
Check if Vulnerable:
Check if Apache Superset version is 1.3.0 or earlier and if ENABLE_TEMPLATE_PROCESSING is set to True in the configuration.Check Version:
Run: superset version or check the Superset web interface for version info.Verify Fix Applied:
Verify the version is 1.3.1 or later and confirm ENABLE_TEMPLATE_PROCESSING is False or the patch is applied.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in Superset logs, especially from authenticated users with template-related requests.
Network Indicators:
- HTTP requests to Superset endpoints with suspicious parameters that might indicate SQL injection attempts.
SIEM Query:
Example: source="superset.log" AND (message CONTAINS "sql" OR message CONTAINS "injection")