CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
76.4%
An attacker with access to the SQL Lab and the ab_user and ab_user_role tables can elevate his privileges to become administrator.
On a more general level, diverse tables who are supposed to be only readable can be modified using the WITH … AS and RETURNING keywords.
Modification of the table key_value can also be done, which could lead to a Remote Code Execution (cf. “V7 - Insecure deserialization leading to remote code execution” report vulnerability).
Some tables are supposed to accept only SELECT requests from the SQL tab.
But this protection can be bypassed by using the WITH … AS () syntax with RETURNING value after the INSERT / UPDATE / DELETE query.
INSERT query accepted by the database due to the use of WITH … AS ( … RETURNING ) syntax:
WITH a AS ( INSERT INTO ab_user (id, first_name, last_name, username, email, password) VALUES (2, ‘injected_admin’, ‘injected_admin’, ‘injected_admin’, ‘[email protected]’, ‘{PASSWORD_HASH}’) RETURNING id ) SELECT * FROM a;
PoC_2
This method can also be used with UPDATE or DELETE request. A user with access to SELECT on the tables ab_user_role can escalate his privilege to become administrator.
This technique can also be used to inject or modify values of the table key_value, which can potentially lead to a Remote Code Execution (cf. …).
To fix this vulnerability, we recommends reenforcing the SELECT filter to spot INSERT / UPDATE / DELETE keywords even in WITH requests.
Upgrade to Superset version 2.1.2.
https://nvd.nist.gov/vuln/detail/CVE-2023-40610
https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot
LEXFO for Orange Innovation
Orange CERT-CC at Orange group
Date reported: July 27, 2023Date fixed: November 27, 2023
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
76.4%