CVE-2024-53947: 
Wolfi vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2024-53947) was discovered in Apache Superset before version 4.1.0. The vulnerability stems from improper checks on certain engine-specific PostgreSQL functions, which allows attackers to bypass Apache Superset's SQL authorization. This is a follow-up to CVE-2024-39887, specifically addressing additional disallowed PostgreSQL functions including query_to_xml_and_xmlschema, table_to_xml, and table_to_xml_and_xmlschema (NVD, Security Online).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'). The CVSS v4.0 base score is 2.3 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. The issue specifically relates to certain engine-specific functions that are not properly checked in the SQL authorization process (NVD).

When exploited, this vulnerability could allow attackers to bypass Superset's security mechanisms and execute arbitrary SQL queries, potentially leading to data breaches and unauthorized access to sensitive information (Security Online).

Users are recommended to upgrade to Apache Superset version 4.1.0, which includes the fix for this vulnerability. Alternatively, if immediate upgrading is not feasible, users can manually add the vulnerable PostgreSQL functions (query_to_xml_and_xmlschema, table_to_xml, and table_to_xml_and_xmlschema) to the DISALLOWED_SQL_FUNCTIONS configuration setting (Security Online).