What is the severity of CVE-2024-39887?

CVE-2024-39887 has been classified with a high severity rating due to its potential for SQL Injection attacks.

How do I fix CVE-2024-39887?

To mitigate CVE-2024-39887, upgrade to Apache Superset version 4.0.2 or later.

What systems are affected by CVE-2024-39887?

CVE-2024-39887 affects Apache Superset versions before 4.0.2.

How does CVE-2024-39887 impact security?

CVE-2024-39887 allows attackers to bypass SQL authorization, potentially compromising sensitive data.

What type of vulnerability is CVE-2024-39887?

CVE-2024-39887 is an SQL Injection vulnerability resulting from improper neutralization in Apache Superset.

Vulnerability/
CVE-2024-39887

critical

9.8

CWE

16/7/2024

13/2/2025

CVE-2024-39887: Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions

First published: Tue Jul 16 2024(Updated: )

An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions: version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection. This issue affects Apache Superset: before 4.0.2. Users are recommended to upgrade to version 4.0.2, which fixes the issue.

Credit: security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
pip/apache-superset	<4.0.2	4.0.2
Apache Superset	<4.0.2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-39887?
CVE-2024-39887 has been classified with a high severity rating due to its potential for SQL Injection attacks.
How do I fix CVE-2024-39887?
To mitigate CVE-2024-39887, upgrade to Apache Superset version 4.0.2 or later.
What systems are affected by CVE-2024-39887?
CVE-2024-39887 affects Apache Superset versions before 4.0.2.
How does CVE-2024-39887 impact security?
CVE-2024-39887 allows attackers to bypass SQL authorization, potentially compromising sensitive data.
What type of vulnerability is CVE-2024-39887?
CVE-2024-39887 is an SQL Injection vulnerability resulting from improper neutralization in Apache Superset.

agent/weakness
agent/title
agent/type
agent/first-publish-date
collector/oss-sec
source/oss-sec
alias/CVE-2024-39887
agent/references
agent/description
collector/nvd-cve
source/NVD
agent/author
collector/mitre-cve
source/MITRE
collector/github-advisory-latest
source/GitHub
alias/GHSA-2q6j-vpvr-6pvj
agent/software-canonical-lookup
collector/github-advisory
agent/trending
agent/source
agent/last-modified-date
agent/severity
agent/softwarecombine
agent/tags
collector/nvd-api
agent/event
package-manager/pip
vendor/apache
canonical/apache superset

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.