Apache Superset is an open-source data visualization and business intelligence platform that supports multiple SQL engines, including ClickHouse and PostgreSQL. To prevent execution of potentially dangerous SQL functions, Superset uses a configurable dictionary called DISALLOWED_SQL_FUNCTIONS, which restricts certain SQL functions within SQL Lab and chart queries. However, the default list for the ClickHouse engine was incomplete, failing to block some sensitive SQL functions. This gap allows an attacker with low privileges to craft SQL queries that execute restricted or harmful SQL commands, leading to SQL Injection (CWE-89). The vulnerability affects all versions before 4.1.2. Exploitation does not require user interaction or elevated privileges beyond low-level access, and it can compromise the confidentiality and integrity of the underlying database by unauthorized data access or manipulation. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity due to network attack vector, low complexity, no user interaction, and limited scope. The Apache Software Foundation has addressed this issue in version 4.1.2 by completing the DISALLOWED_SQL_FUNCTIONS list for ClickHouse, effectively preventing execution of dangerous SQL functions. No known exploits have been reported in the wild as of now.

The vulnerability enables attackers with limited privileges to perform SQL Injection attacks on Apache Superset instances using the ClickHouse engine. This can lead to unauthorized data disclosure, data modification, or corruption, impacting the confidentiality and integrity of sensitive organizational data. Since Superset is widely used for business intelligence and data analytics, exploitation could compromise critical decision-making data and expose sensitive business information. The attack vector is network-based and does not require user interaction, increasing the risk of remote exploitation. However, the requirement for at least low-level privileges limits the scope somewhat. Organizations relying on Superset with ClickHouse may face data breaches, compliance violations, and operational disruptions if exploited. The lack of known exploits reduces immediate risk, but the vulnerability should be treated seriously given the potential impact on data security.

Organizations should promptly upgrade Apache Superset to version 4.1.2 or later, where the DISALLOWED_SQL_FUNCTIONS list for ClickHouse is properly completed and enforced. In addition, administrators should review and customize the DISALLOWED_SQL_FUNCTIONS configuration to ensure all potentially dangerous SQL functions are blocked according to their environment and threat model. Implement strict access controls to limit user privileges within Superset, ensuring that only trusted users have the ability to run SQL queries. Monitor SQL Lab and chart query logs for unusual or unauthorized SQL function usage. Employ network segmentation and firewall rules to restrict access to Superset instances, reducing exposure to untrusted networks. Regularly audit and update Superset and its dependencies to incorporate security patches. Finally, consider deploying runtime application self-protection (RASP) or web application firewalls (WAF) that can detect and block SQL Injection attempts targeting Superset.