Skip to content

Apache Superset - Elevation of Privilege

High severity GitHub Reviewed Published Nov 27, 2023 in orangecertcc/security-research • Updated Jan 10, 2024

Package

pip apache-superset (pip)

Affected versions

< 2.1.2

Patched versions

2.1.2

Description

Overview

An attacker with access to the SQL Lab and the ab_user and ab_user_role tables can elevate his privileges to become administrator.

Details

On a more general level, diverse tables who are supposed to be only readable can be modified using the WITH … AS and RETURNING keywords.
Modification of the table key_value can also be done, which could lead to a Remote Code Execution (cf. "V7 - Insecure deserialization leading to remote code execution" report vulnerability).

Proof of Concept

Some tables are supposed to accept only SELECT requests from the SQL tab.

  • Attempt to create a new user injected_admin into the ab_user table: PoC_1

But this protection can be bypassed by using the WITH … AS () syntax with RETURNING value after the INSERT / UPDATE / DELETE query.
INSERT query accepted by the database due to the use of WITH … AS ( … RETURNING ) syntax:
WITH a AS ( INSERT INTO ab_user (id, first_name, last_name, username, email, password) VALUES (2, ‘injected_admin’, ‘injected_admin’, ‘injected_admin’, ‘[email protected]’, ‘{PASSWORD_HASH}’) RETURNING id ) SELECT * FROM a;
PoC_2

  • injected_admin added to the ab_user table: PoC_3

This method can also be used with UPDATE or DELETE request. A user with access to SELECT on the tables ab_user_role can escalate his privilege to become administrator.

  • Locating the ID of the user ‘Auditeur B’, who has no rights and is not an admin. The request is done being ‘Auditeur B’: PoC_4
  • Locating the rows that keep the role of the user ‘Auditeur B’. The row 36 stores the value 3, indicating the role ‘Alpha’ for ‘Auditeur B’: PoC_5
  • Modification of the row 36 with an UPDATE request embedded in a WITH request: PoC_6
  • ‘Auditeur B’ role has been changed to Admin: PoC_7

This technique can also be used to inject or modify values of the table key_value, which can potentially lead to a Remote Code Execution (cf. ...).

Solution

Orange recommendation

To fix this vulnerability, we recommends reenforcing the SELECT filter to spot INSERT / UPDATE / DELETE keywords even in WITH requests.

Security patch

Upgrade to Superset version 2.1.2.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-40610
https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot

Credits

LEXFO for Orange Innovation

Orange CERT-CC at Orange group

Timeline

Date reported: July 27, 2023
Date fixed: November 27, 2023

References

Published to the GitHub Advisory Database Nov 28, 2023
Reviewed Nov 28, 2023
Last updated Jan 10, 2024

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Adjacent
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS score

0.865%
(82nd percentile)

Weaknesses

CVE ID

CVE-2023-40610

GHSA ID

GHSA-f678-j579-4xf5

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.