apache_superset is vulnerable to Information Disclosure. A remote authenticated attacker with read access to a specific database can add subqueries to the WHERE
and HAVING
fields, resulting in references to tables on the same database that the attacker should not have access to. The perimeter to prevent ad-hoc queries (ALLOW_ADHOC_SUBQUERY
) fails to sanitize the WHERE
and HAVING
fields, resulting in the disclosure of Sensitive Information.
github.com/apache/superset/commit/bac190e0438f005fad11ba2838d4cc48e3f253d6
github.com/apache/superset/commit/c9921f8d72ecd54513d95bacb45ba25afba74b42
github.com/apache/superset/commit/f676a890d9bd7b563835b7919b5b15da8d50df4c
github.com/apache/superset/pull/21729
lists.apache.org/thread/g7jjw0okxjk5y57pbbxy19ydw42kqcos