Miggo Logo
Miggo Vulnerability Database
CVE-2022-27479

CVE-2022-27479:
SQL injection in apache-superset

9.8

CVSS Score

Basic Information

CVE ID
CVE-2022-27479
GHSA ID
GHSA-wh73-hpcg-v32j
EPSS Score
-
CWE
CWE-89
Published
4/14/2022
Updated
8/31/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
apache-supersetpip< 1.4.21.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in chart data processing where user-controlled input flows into SQL queries. The ChartRestApi.data endpoint is the primary entry point for chart data requests, making it a logical candidate for improper input handling. SqlaTable.get_query_str is implicated because it handles query construction for SQL-based datasets, a common vector for SQLi if input sanitization fails. Confidence is high for the first function due to its direct role in request handling, and medium for the second due to indirect evidence from Superset's architecture.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** Sup*rs*t ***or* *.*.* is vuln*r**l* to SQL inj**tion in ***rt **t* r*qu*sts. Us*rs s*oul* up**t* to *.*.* or *i***r w*i** ***r*ss*s t*is issu*.

Reasoning

T** vuln*r**ility *xists in ***rt **t* pro**ssin* w**r* us*r-*ontroll** input *lows into SQL qu*ri*s. T** ***rtR*st*pi.**t* *n*point is t** prim*ry *ntry point *or ***rt **t* r*qu*sts, m*kin* it * lo*i**l **n*i**t* *or improp*r input **n*lin*. Sql*T*