CVE-2024-34693 in Superset
Summary
by MITRE • 06/20/2024
Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0
Users are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/20/2024
The vulnerability CVE-2024-34693 represents a critical improper input validation flaw within Apache Superset that enables authenticated attackers to escalate their privileges through database connection manipulation. This issue specifically targets the MariaDB connection configuration process where an attacker can inadvertently or deliberately enable the local_infile parameter, creating a dangerous attack vector that bypasses normal security boundaries. The vulnerability exists in Apache Superset versions prior to 3.1.3 and 4.0.0, making a significant portion of deployments susceptible to exploitation. The flaw stems from insufficient validation of connection parameters during database configuration, allowing malicious input to propagate into database connection settings without proper sanitization or verification.
The technical exploitation of this vulnerability relies on the attacker's ability to establish a MariaDB connection through the Superset interface while manipulating connection parameters to enable local_infile functionality. When both the MariaDB server and the MySQL client on the web server are configured to permit local infile operations, the attacker can execute specific SQL commands that leverage the LOAD DATA LOCAL INFILE functionality. This particular MySQL/MariaDB feature allows reading files from the server filesystem and inserting their contents into database tables, effectively providing the attacker with a method to exfiltrate sensitive data from the server. The vulnerability is particularly dangerous because it combines authentication bypass with privilege escalation through database connection manipulation, creating a multi-layered attack path that can be exploited by attackers who have already gained access to the Superset application.
The operational impact of CVE-2024-34693 extends beyond simple data exfiltration, as it enables potential lateral movement within the network infrastructure and provides attackers with access to sensitive server files that may contain database credentials, application secrets, or other confidential information. The vulnerability creates a persistent threat vector that can be exploited repeatedly by authenticated users, making it particularly concerning for environments where Superset is used with elevated privileges or where multiple users have access to database connection configuration. According to CWE classification, this vulnerability maps to CWE-20: Improper Input Validation, which is a fundamental security weakness that allows malicious input to be processed without proper validation or sanitization. The attack pattern aligns with ATT&CK technique T1078.004: Valid Accounts, specifically targeting the exploitation of legitimate database connection capabilities to achieve unauthorized data access.
Organizations using affected Apache Superset versions face significant risk of data compromise and potential system infiltration through this vulnerability. The recommended mitigation strategy involves upgrading to version 4.0.1 or 3.1.3, which implements proper input validation and sanitization of database connection parameters. Security teams should also implement additional controls such as monitoring database connection configurations, restricting database access privileges, and ensuring that local_infile is disabled on MariaDB servers where possible. The vulnerability demonstrates the importance of proper parameter validation in web applications, particularly when dealing with database connectivity configurations that can have far-reaching security implications. Organizations should conduct immediate vulnerability assessments to identify affected systems and implement the necessary patches while also reviewing their database security configurations to minimize the attack surface for similar vulnerabilities.