CVE-2024-53947 – This SQL injection vulnerability in Apache Supe... (How to Fix)

Q: What is the severity of CVE-2024-53947?

CVE-2024-53947 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in Apache Superset allows attackers to bypass SQL authorization by exploiting unvalidated PostgreSQL functions. Attackers can execute arbitrary SQL commands, potentially accessing or modifying database content. This affects all Apache Superset installations before version 4.1.0.

📋 TL;DR

This SQL injection vulnerability in Apache Superset allows attackers to bypass SQL authorization by exploiting unvalidated PostgreSQL functions. Attackers can execute arbitrary SQL commands, potentially accessing or modifying database content. This affects all Apache Superset installations before version 4.1.0.

💻 Affected Systems

Products:

Apache Superset

Versions: All versions before 4.1.0

Operating Systems: All operating systems running Apache Superset

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects PostgreSQL database connections; other database backends are not vulnerable to this specific bypass.

📦 What is this software?

Superset by Apache

View all CVEs affecting Superset →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise including data exfiltration, modification, or deletion; potential privilege escalation to execute system commands via database functions.

🟠

Likely Case

Unauthorized data access, data manipulation, and potential extraction of sensitive information from connected databases.

🟢

If Mitigated

Limited impact with proper network segmentation and database user privilege restrictions, though SQL injection would still be possible.

🌐 Internet-Facing: HIGH - Apache Superset is often deployed as a business intelligence tool accessible to internal and external users.

🏢 Internal Only: HIGH - Even internal deployments are vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to Superset, but SQL injection techniques are well-documented and easy to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.0

Vendor Advisory: https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn

Restart Required: Yes

Instructions:

1. Backup your Superset instance and database. 2. Upgrade to Apache Superset 4.1.0 using pip: 'pip install apache-superset==4.1.0'. 3. Run database migrations: 'superset db upgrade'. 4. Restart all Superset services.

🔧 Temporary Workarounds

Add functions to DISALLOWED_SQL_FUNCTIONS

all

Add the vulnerable PostgreSQL functions to the configuration blacklist

Add to superset_config.py: DISALLOWED_SQL_FUNCTIONS = ['query_to_xml_and_xmlschema', 'table_to_xml', 'table_to_xml_and_xmlschema']

🧯 If You Can't Patch

Restrict database user permissions to read-only access for Superset connections
Implement network segmentation to isolate Superset from sensitive databases

🔍 How to Verify

Check if Vulnerable:

Check Superset version: if version is less than 4.1.0 and using PostgreSQL backend, system is vulnerable.

Check Version:

pip show apache-superset | grep Version

Verify Fix Applied:

Verify version is 4.1.0 or higher and test that the vulnerable functions are blocked in SQL Lab.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries containing query_to_xml_and_xmlschema, table_to_xml, or table_to_xml_and_xmlschema functions
Multiple failed authorization attempts followed by successful complex queries

Network Indicators:

Unusual database traffic patterns from Superset application servers
Large data transfers from database to Superset

SIEM Query:

source="superset" AND ("query_to_xml" OR "table_to_xml")

📊 Metadata

CVE ID: CVE-2024-53947

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: December 9, 2024

Last Updated: July 15, 2025

🔗 References

https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53947, you might also want to check these: