CVE-2024-39887 – This SQL injection vulnerability in Apache Supe... (How to Fix)

Q: What is the severity of CVE-2024-39887?

CVE-2024-39887 has a CVSS score of 4.3 (MEDIUM). This SQL injection vulnerability in Apache Superset allows attackers to bypass SQL authorization by exploiting improperly sanitized PostgreSQL functions. It affects all Apache Superset installations before version 4.0.2. Attackers could potentially execute unauthorized SQL queries against the database.

📋 TL;DR

This SQL injection vulnerability in Apache Superset allows attackers to bypass SQL authorization by exploiting improperly sanitized PostgreSQL functions. It affects all Apache Superset installations before version 4.0.2. Attackers could potentially execute unauthorized SQL queries against the database.

💻 Affected Systems

Products:

Apache Superset

Versions: All versions before 4.0.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects PostgreSQL database connections; other database engines may not be vulnerable

📦 What is this software?

Superset by Apache

View all CVEs affecting Superset →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, modification, or deletion through unauthorized SQL execution

🟠

Likely Case

Unauthorized data access and potential privilege escalation within the database

🟢

If Mitigated

Limited impact with proper input validation and function restrictions in place

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access to Superset interface; exploitation involves crafting specific SQL function calls

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.2

Vendor Advisory: https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz

Restart Required: Yes

Instructions:

1. Backup your Superset instance and database. 2. Upgrade to Apache Superset 4.0.2 using pip: 'pip install apache-superset==4.0.2'. 3. Run database migrations: 'superset db upgrade'. 4. Restart the Superset service.

🔧 Temporary Workarounds

Configure DISALLOWED_SQL_FUNCTIONS

all

Add vulnerable PostgreSQL functions to the disallowed functions list in Superset configuration

Add to superset_config.py: DISALLOWED_SQL_FUNCTIONS = ['version', 'query_to_xml', 'inet_server_addr', 'inet_client_addr']

🧯 If You Can't Patch

Implement network segmentation to restrict database access from Superset instances
Apply strict input validation and SQL query monitoring at the database layer

🔍 How to Verify

Check if Vulnerable:

Check Superset version: 'superset version' or examine package version in Python environment

Check Version:

superset version

Verify Fix Applied:

Confirm version is 4.0.2 or later and verify DISALLOWED_SQL_FUNCTIONS configuration includes vulnerable functions

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries containing version(), query_to_xml(), inet_server_addr(), or inet_client_addr() functions
Multiple failed authorization attempts in Superset logs

Network Indicators:

Unexpected database connections from Superset application servers
Anomalous SQL query patterns to PostgreSQL

SIEM Query:

source="superset" AND ("version()" OR "query_to_xml" OR "inet_server_addr" OR "inet_client_addr")

📊 Metadata

CVE ID: CVE-2024-39887

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-89

Published: July 16, 2024

Last Updated: February 13, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/07/16/5 Mailing List,Third Party Advisory
https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/07/16/5 Mailing List,Third Party Advisory
https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39887, you might also want to check these: