CVE-2022-27479 – CVE-2022-27479 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2022-27479?

CVE-2022-27479 has a CVSS score of 9.8 (CRITICAL). CVE-2022-27479 is a critical SQL injection vulnerability in Apache Superset that allows attackers to execute arbitrary SQL commands through chart data requests. This affects all Apache Superset instances before version 1.4.2. Attackers could potentially access, modify, or delete database information.

📋 TL;DR

CVE-2022-27479 is a critical SQL injection vulnerability in Apache Superset that allows attackers to execute arbitrary SQL commands through chart data requests. This affects all Apache Superset instances before version 1.4.2. Attackers could potentially access, modify, or delete database information.

💻 Affected Systems

Products:

Apache Superset

Versions: All versions before 1.4.2

Operating Systems: All operating systems running Apache Superset

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. The vulnerability exists in chart data request handling.

📦 What is this software?

Superset by Apache

View all CVEs affecting Superset →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized data access, data exfiltration, and potential privilege escalation within the database.

🟢

If Mitigated

Limited impact with proper input validation and database user privilege restrictions.

🌐 Internet-Facing: HIGH - Internet-facing Superset instances are directly exploitable by remote attackers.

🏢 Internal Only: HIGH - Internal instances remain vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to Superset. Public proof-of-concept code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.2 or higher

Vendor Advisory: https://lists.apache.org/thread/94th50j5d0y2fw7ysx0g7w3t6jk3z7q6

Restart Required: Yes

Instructions:

1. Backup your Superset instance and database. 2. Update Apache Superset to version 1.4.2 or later using pip: 'pip install --upgrade apache-superset==1.4.2'. 3. Run database migrations: 'superset db upgrade'. 4. Restart the Superset service.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for chart data request parameters to block SQL injection patterns.

Implement WAF rules or application-level input validation for all chart-related endpoints

Database User Privilege Reduction

all

Limit database user permissions to read-only for Superset application accounts.

ALTER USER superset_user WITH NOSUPERUSER NOCREATEDB NOCREATEROLE;
REVOKE ALL ON DATABASE superset_db FROM superset_user;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO superset_user;

🧯 If You Can't Patch

Implement network segmentation to isolate Superset instances from critical databases
Enable detailed SQL query logging and monitor for suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check Superset version: if version is less than 1.4.2, the system is vulnerable.

Check Version:

superset version

Verify Fix Applied:

Confirm Superset version is 1.4.2 or higher and test chart data requests with SQL injection payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs from Superset application user
Multiple failed login attempts followed by chart data requests
SQL syntax errors in application logs

Network Indicators:

Unusual database connection patterns from Superset hosts
Large data transfers from database to Superset instances

SIEM Query:

source="superset_logs" AND (message="*sql*" OR message="*query*") AND message="*error*"

📊 Metadata

CVE ID: CVE-2022-27479

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: April 13, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/04/13/3 Mailing List,Third Party Advisory
https://lists.apache.org/thread/94th50j5d0y2fw7ysx0g7w3t6jk3z7q6 Broken Link
https://lists.apache.org/thread/ztb9b6jd9rngoxwvq8r4fhpp401o613y Broken Link
http://www.openwall.com/lists/oss-security/2022/04/13/3 Mailing List,Third Party Advisory
https://lists.apache.org/thread/94th50j5d0y2fw7ysx0g7w3t6jk3z7q6 Broken Link
https://lists.apache.org/thread/ztb9b6jd9rngoxwvq8r4fhpp401o613y Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27479, you might also want to check these: