CVE-2024-34693

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-34693
Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0 Users are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue.

5.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
http://www.openwall.com/lists/oss-security/2024/06/20/1 Mailing List
http://www.openwall.com/lists/oss-security/2024/06/20/1 Mailing List
https://lists.apache.org/thread/1803x1s34m7r71h1k0q1njol8k6fmyon Mailing List
https://lists.apache.org/thread/1803x1s34m7r71h1k0q1njol8k6fmyon Mailing List
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*
History

13 Feb 2025, 18:18

Type Values Removed Values Added
Summary Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0 Users are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue. Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0 Users are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue.

11 Feb 2025, 17:21

Type Values Removed Values Added
CWE CWE-20 NVD-CWE-noinfo
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.3
References () https://lists.apache.org/thread/1803x1s34m7r71h1k0q1njol8k6fmyon - () https://lists.apache.org/thread/1803x1s34m7r71h1k0q1njol8k6fmyon - Mailing List
References () http://www.openwall.com/lists/oss-security/2024/06/20/1 - () http://www.openwall.com/lists/oss-security/2024/06/20/1 - Mailing List
First Time Apache superset
Apache
CPE cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

20 Jun 2024, 11:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/06/20/1 -

20 Jun 2024, 09:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-06-20 09:15

Updated : 2025-02-13 18:18

NVD link : CVE-2024-34693

Mitre link : CVE-2024-34693

JSON object : View

Products Affected

apache

  • superset
CWE
NVD-CWE-noinfo