CVE-2023-49736: 
Wolfi vulnerability analysis and mitigation

A SQL injection vulnerability was discovered in Apache Superset, identified as CVE-2023-49736. The vulnerability exists in the where_in JINJA macro functionality, affecting Apache Superset versions before 2.1.2 and from 3.0.0 before 3.0.2. The vulnerability was discovered by Jack Prince-Fulls and publicly disclosed on December 19, 2023 (Apache Advisory, OSS Security).

The vulnerability stems from the where_in JINJA macro implementation that allows users to specify a quote character, which when combined with a carefully crafted statement, enables SQL injection attacks. The vulnerability has received varying CVSS scores, with the NVD assigning a CVSS v3.1 base score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while the Apache Software Foundation assigned a score of 6.5 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The vulnerability is classified as CWE-89 (SQL Injection) (NVD).

The SQL injection vulnerability could potentially allow attackers to execute unauthorized SQL commands on the underlying database, potentially leading to unauthorized access to data, data manipulation, or compromise of the database system (Security Online).

Users are strongly recommended to upgrade to Apache Superset version 3.0.2 or later, which contains the fix for this vulnerability. For users running version 2.x, upgrading to version 2.1.2 or later is recommended (Apache Advisory).