Main Vulnerability Database Vulnerabilities #VU71205

#VU71205 SQL injection in Apache Superset - CVE-2021-41971

Published: January 17, 2023

Vulnerability identifier: #VU71205

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2021-41971

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache Superset

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote user to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can send a specially crafted HTTP request to the custom URL and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability requires that the Apache Superset is configured with enabled ENABLE_TEMPLATE_PROCESSIN option (disabled by default).

Remediation

Install update from vendor's website.

External links

https://lists.apache.org/thread.html/rf7292731268c6c6e2196ae1583e32ac7189385364268f8d9215e8e6d%40%3Cdev.superset.apache.org%3E

#VU71205 SQL injection in Apache Superset - CVE-2021-41971

Description

Remediation

External links

Please verify you're human