Miggo Logo
Miggo Vulnerability Database
CVE-2023-32672

CVE-2023-32672:
Apache Superset has incorrect authorization check

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-32672
GHSA ID
GHSA-95ch-p3gw-23qg
EPSS Score
0.43065%
CWE
CWE-863
Published
9/6/2023
Updated
11/6/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
apache-supersetpip<= 2.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on incorrect authorization due to SQL parsing flaws in SQLLab. Key functions would include: (1) The SQL execution handler (e.g., execute_sql_statement), which relies on parsed table names to enforce permissions, and (2) The SQL parser (e.g., get_table_names), which fails to extract all tables accurately. Without patch details, these are educated guesses based on Superset's architecture and the described exploit mechanism. The 'medium' confidence reflects the lack of explicit code references but aligns with typical Superset components involved in SQL parsing and execution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n In*orr**t *ut*oris*tion ****k in SQLL** in *p**** Sup*rs*t v*rsions up to *n* in*lu*in* *.*.*. T*is vuln*r**ility *llows *n *ut**nti**t** us*r to qu*ry t**l*s t**t t**y *o not **v* prop*r ****ss to wit*in Sup*rs*t. T** vuln*r**ility **n ** *xploit

Reasoning

T** vuln*r**ility **nt*rs on in*orr**t *ut*oriz*tion *u* to SQL p*rsin* *l*ws in SQLL**. K*y *un*tions woul* in*lu**: (*) T** SQL *x**ution **n*l*r (*.*., *x**ut*_sql_st*t*m*nt), w*i** r*li*s on p*rs** t**l* n*m*s to *n*or** p*rmissions, *n* (*) T**