CVE-2024-24772

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-24772
A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the underlying analytics database.This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

4.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
http://www.openwall.com/lists/oss-security/2024/02/28/5 Mailing List Third Party Advisory
https://lists.apache.org/thread/gfl3ckwy6y9tpz9jmpv62orh2q346sn5 Mailing List Vendor Advisory
https://lists.apache.org/thread/gfl3ckwy6y9tpz9jmpv62orh2q346sn5 Mailing List Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*
History

12 Feb 2025, 10:15

Type Values Removed Values Added
Summary A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the underlying analytics database.This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue. A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the underlying analytics database.This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

31 Dec 2024, 16:22

Type Values Removed Values Added
CPE cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*
CWE CWE-20 CWE-89
First Time Apache superset
Apache
References () http://www.openwall.com/lists/oss-security/2024/02/28/5 - () http://www.openwall.com/lists/oss-security/2024/02/28/5 - Mailing List, Third Party Advisory
References () https://lists.apache.org/thread/gfl3ckwy6y9tpz9jmpv62orh2q346sn5 - () https://lists.apache.org/thread/gfl3ckwy6y9tpz9jmpv62orh2q346sn5 - Mailing List, Vendor Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.3

28 Feb 2024, 15:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/02/28/5 -

28 Feb 2024, 12:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-02-28 12:15

Updated : 2025-02-12 10:15

NVD link : CVE-2024-24772

Mitre link : CVE-2024-24772

JSON object : View

Products Affected

apache

  • superset
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')