CVE-2024-24773: Apache Superset: Improper validation of SQL statements allows for unauthorized access to data

February 28, 2024 (updated February 13, 2025)

Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.

Users are recommended to upgrade to version 3.1.1, which fixes the issue.

References

github.com/advisories/GHSA-5474-f7g5-273q
github.com/apache/superset
lists.apache.org/thread/h66fy6nj41cfx07zh7l552w6dmtjh501
nvd.nist.gov/vuln/detail/CVE-2024-24773

Detect and mitigate CVE-2024-24773 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →