CVE-2023-49736 Overview
CVE-2023-49736 is a SQL injection vulnerability in Apache Superset stemming from the where_in JINJA macro. The macro permits users to specify a quote character that, when combined with a carefully crafted statement, breaks out of the intended query context. Authenticated attackers can execute arbitrary SQL against connected databases.
The flaw affects Apache Superset versions before 2.1.2 and versions 3.0.0 through 3.0.1. Apache addresses the issue in version 3.0.2. The vulnerability maps to [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Authenticated users can leverage the where_in JINJA macro to inject arbitrary SQL, compromising confidentiality, integrity, and availability of data sources connected to Superset.
Affected Products
- Apache Superset versions prior to 2.1.2
- Apache Superset versions 3.0.0 through 3.0.1
- Deployments using JINJA templating in SQL Lab or dataset definitions
Discovery Timeline
- 2023-12-19 - CVE-2023-49736 published to NVD
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2023-49736
Vulnerability Analysis
Apache Superset supports JINJA macros inside SQL queries to allow templated expressions. The where_in macro generates an IN clause from a user-supplied list and accepts an optional quote character parameter. The implementation does not validate or sanitize the quote argument before embedding it in the generated SQL string.
An authenticated user with query privileges can supply a quote value that closes the generated string literal and appends attacker-controlled SQL. The injected SQL executes with the privileges of the database connection configured in Superset. Connections frequently hold broad read access across analytical warehouses, expanding the blast radius.
The vulnerability requires network access to the Superset web interface and low-privilege authenticated access. No user interaction is required to exploit the flaw once an attacker has a valid session.
Root Cause
The root cause is missing input validation on the quote argument of the where_in JINJA macro. The macro concatenates the quote character directly into the rendered SQL template without escaping or restricting the allowed character set. This violates the principle of separating code from data in SQL statement construction.
Attack Vector
An attacker authenticates to Superset and crafts a query that invokes the where_in macro with a malicious quote parameter. When Superset renders the JINJA template, the attacker-controlled value breaks out of the intended literal and introduces additional SQL clauses or statements. The query executes against the connected backend database using Superset's stored credentials.
The vulnerability mechanism centers on JINJA template rendering occurring before SQL parameterization. See the Apache Mailing List Thread for the official advisory and the Openwall OSS Security Discussion for additional context.
Detection Methods for CVE-2023-49736
Indicators of Compromise
- Superset query history containing where_in macro invocations with non-standard quote arguments such as backslashes, multiple characters, or SQL syntax fragments
- Unexpected UNION SELECT, -- comment terminators, or stacked statements in rendered SQL captured by database audit logs
- Database queries originating from the Superset service account that target system tables or schemas outside normal dashboard scope
- Spikes in failed SQL parse errors in Superset logs referencing JINJA-rendered statements
Detection Strategies
- Inventory all Superset deployments and identify instances running versions below 2.1.2 or 3.0.0 to 3.0.1
- Parse Superset query logs for where_in( macro usage and flag invocations supplying a quote parameter
- Correlate Superset user activity with backend database audit trails to identify anomalous SELECT patterns against information_schema or metadata tables
Monitoring Recommendations
- Forward Superset application logs and connected database audit logs to a centralized SIEM for correlation
- Alert on Superset users executing queries that reference sensitive tables outside their normal dashboard scope
- Monitor the Superset query table for SQL containing JINJA macro syntax combined with quote escaping patterns
How to Mitigate CVE-2023-49736
Immediate Actions Required
- Upgrade Apache Superset to version 3.0.2 or later, which removes the unsafe quote parameter handling
- Audit existing user accounts and revoke query privileges from accounts that do not require SQL Lab access
- Restrict database connection accounts in Superset to least-privilege roles with read-only access to required schemas
- Review the Superset query history for suspicious where_in macro usage since deployment
Patch Information
Apache released Apache Superset 3.0.2 to fix CVE-2023-49736. Operators running the 2.x branch should upgrade to 2.1.2 or migrate to the 3.x branch at version 3.0.2 or later. Patch details are published in the Apache Mailing List Thread.
Workarounds
- Disable JINJA templating in SQL Lab by setting ENABLE_TEMPLATE_PROCESSING = False in superset_config.py if upgrading immediately is not feasible
- Restrict access to SQL Lab using role-based access control and remove the can sql_json permission from non-administrative roles
- Place Superset behind a web application firewall configured to inspect request bodies for JINJA macro patterns combined with SQL metacharacters
# Configuration example: disable JINJA template processing in superset_config.py
FEATURE_FLAGS = {
"ENABLE_TEMPLATE_PROCESSING": False,
}
# Upgrade via pip
pip install --upgrade apache-superset==3.0.2
superset db upgrade
superset init
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
