CVE-2024-39887 Overview
CVE-2024-39887 is a SQL Injection vulnerability in Apache Superset caused by improper neutralization of special elements used in SQL commands [CWE-89]. The flaw resides in how Superset validates engine-specific SQL functions before query execution. Certain PostgreSQL functions are not checked, which allows authenticated attackers to bypass Apache Superset's SQL authorization controls and access restricted data. The vulnerability affects all versions of Apache Superset prior to 4.0.2. Apache addressed the issue by introducing a DISALLOWED_SQL_FUNCTIONS configuration key that blocks risky functions such as version, query_to_xml, inet_server_addr, and inet_client_addr.
Critical Impact
Attackers can bypass SQL authorization in Apache Superset to disclose database server information and execute restricted queries against connected PostgreSQL data sources.
Affected Products
- Apache Superset versions before 4.0.2
- Deployments connecting Superset to PostgreSQL backends
- Self-hosted and containerized Superset installations
Discovery Timeline
- 2024-07-16 - CVE-2024-39887 published to NVD
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2024-39887
Vulnerability Analysis
Apache Superset enforces SQL authorization by inspecting submitted queries before execution. The authorization layer fails to account for engine-specific functions exposed by underlying database drivers. Attackers craft queries that invoke PostgreSQL functions like query_to_xml to extract data from tables the user is not authorized to read. The function executes server-side with the privileges of the database connection rather than the Superset user, breaking the trust boundary Superset enforces in its SQL Lab and chart query paths.
Root Cause
The root cause is incomplete input validation in Superset's SQL parsing and authorization logic. The query inspector does not enumerate engine-specific function calls when evaluating whether a query touches restricted objects. Functions such as query_to_xml('SELECT * FROM restricted_table') accept a SQL string as an argument, which the parser treats as opaque data rather than a nested query subject to authorization checks.
Attack Vector
The vulnerability is exploitable over the network by an authenticated Superset user with permission to run queries through SQL Lab or chart creation. The attacker submits a query that calls a permitted top-level function while embedding a restricted query inside one of the engine-specific functions. The Superset authorization layer approves the outer query, the database executes the inner statement, and the results return to the attacker. The vulnerability mechanism is documented in the Apache Thread Discussion and the Openwall OSS-Security Announcement.
Detection Methods for CVE-2024-39887
Indicators of Compromise
- Superset query logs containing calls to query_to_xml, version, inet_server_addr, or inet_client_addr from non-administrative users
- PostgreSQL server logs showing unexpected XML serialization of tables outside the user's normal data scope
- SQL Lab activity referencing system tables or metadata functions outside business hours
Detection Strategies
- Audit the query table in the Superset metadata database for historical use of disallowed PostgreSQL functions
- Enable PostgreSQL log_statement = 'all' on connected databases and correlate executed queries against Superset's authorization decisions
- Alert on any query string containing engine-specific reflection functions issued by accounts without administrator privileges
Monitoring Recommendations
- Forward Superset application logs and PostgreSQL query logs to a centralized SIEM for correlation
- Track query patterns per user and flag deviations that include reflection or introspection functions
- Review role and permission assignments quarterly to confirm SQL Lab access is restricted to users who require it
How to Mitigate CVE-2024-39887
Immediate Actions Required
- Upgrade Apache Superset to version 4.0.2 or later, which contains the fix and the new DISALLOWED_SQL_FUNCTIONS configuration
- Inventory all Superset deployments and confirm the running version against the affected range
- Revoke SQL Lab access from any account that does not have a documented business need
- Rotate PostgreSQL credentials used by Superset connections if abuse is suspected
Patch Information
Apache Superset 4.0.2 introduces the DISALLOWED_SQL_FUNCTIONS configuration key. By default, the patch blocks the PostgreSQL functions version, query_to_xml, inet_server_addr, and inet_client_addr. Administrators can extend the list with additional functions specific to their database engines. Patch details are available in the Apache Thread Discussion.
Workarounds
- Restrict the database role used by Superset connections so that engine-specific reflection functions are denied at the database layer
- Place Superset behind authenticated reverse proxies and limit SQL Lab access through role-based access control
- Disable direct SQL Lab usage for non-analyst roles until the patched version is deployed
# Configuration example - superset_config.py after upgrading to 4.0.2
DISALLOWED_SQL_FUNCTIONS = {
'postgresql': {
'version',
'query_to_xml',
'inet_server_addr',
'inet_client_addr',
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
