CVE-2020-13952 in Superset
Summary
by MITRE • 10/04/2020
In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users’ password, and access to connection information including the plaintext password for the current connection. It would also be possible to run arbitrary methods on the database connection object for the Presto or Hive connection, allowing the user to bypass security controls internal to Superset. This vulnerability is present in every Apache Superset version < 0.37.2.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/15/2020
This vulnerability represents a critical authorization bypass flaw in Apache Superset that allows authenticated users to escalate their privileges and access sensitive information. The issue stems from inadequate input validation and sanitization within templated fields used by the Hive and Presto database engines, creating a pathway for privilege escalation through query execution. The vulnerability specifically affects versions prior to 0.37.2 and demonstrates a classic case of insufficient access controls that enable users to manipulate database connection parameters and execute unauthorized operations. The flaw operates at the application level where templated fields are processed without proper validation, allowing malicious input to be interpreted as legitimate database connection parameters.
The technical exploitation of this vulnerability involves authenticated users leveraging templated query fields to inject malicious parameters that reveal database metadata including query description contents and hashed password information. This represents a direct violation of the principle of least privilege and demonstrates how template injection vulnerabilities can be weaponized to extract sensitive data. The vulnerability also permits arbitrary method execution against database connection objects, which bypasses Superset's built-in security controls and allows for complete compromise of database access. This capability extends beyond simple data exfiltration to enable full database manipulation and access to plaintext passwords stored within connection parameters, creating a severe risk for database security and integrity.
The operational impact of this vulnerability is substantial as it allows authenticated users to access information that should remain confidential and potentially execute unauthorized database operations. Attackers could leverage this vulnerability to gain access to plaintext passwords, database connection information, and query metadata that would normally be restricted to administrators or authorized personnel. The ability to execute arbitrary methods on database connection objects creates a pathway for lateral movement within database environments and could enable attackers to escalate privileges further. This vulnerability affects the core security model of Superset by undermining the authentication and authorization controls that protect database access, making it particularly dangerous in environments where multiple users have access to database query interfaces.
Organizations using Apache Superset versions prior to 0.37.2 should implement immediate mitigations including upgrading to the patched version and implementing additional access controls around database connection parameters. The vulnerability aligns with CWE-79 (Cross-site Scripting) and CWE-20 (Improper Input Validation) classifications, representing a combination of input sanitization failures and authorization bypass issues. From an ATT&CK perspective, this vulnerability maps to T1078 (Valid Accounts) and T1566 (Phishing) as attackers could leverage compromised credentials to exploit this vulnerability, and T1046 (Network Service Scanning) as the vulnerability could be used to enumerate database resources. Additional mitigations should include implementing strict template parameter validation, disabling unnecessary database connection features, and monitoring for anomalous query execution patterns that might indicate exploitation attempts.