CVE-2024-55633: 
Apache Superset vulnerability analysis and mitigation

CVE-2024-55633 is an Improper Authorization vulnerability discovered in Apache Superset affecting versions before 4.1.0. The vulnerability specifically impacts Postgres analytic databases where an attacker with SQLLab access can craft specially designed SQL DML statements that are incorrectly identified as read-only queries, enabling their execution. The vulnerability was disclosed on December 12, 2024, and has been assigned a CVSS v4.0 score of 7.1 (High) (NVD, Security Online).

The vulnerability stems from a flaw in Apache Superset's SQLLab feature where the system incorrectly validates read-only queries. When processing SQL DML (Data Manipulation Language) statements on Postgres analytic databases, the system fails to properly identify write operations, allowing them to be executed despite read-only restrictions. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, and high impact on integrity (NVD).

The exploitation of this vulnerability can lead to unauthorized modification of data in Postgres analytic databases. Attackers with SQLLab access can bypass read-only restrictions and execute write operations, potentially compromising the integrity of the database. Non-postgres analytics database connections and postgres analytics database connections configured with a readonly user are not affected by this vulnerability (Security Online).

Users are strongly recommended to upgrade to Apache Superset version 4.1.0, which contains the fix for this vulnerability. For systems that cannot be immediately upgraded, it is advised to configure Postgres analytics database connections with a readonly user to prevent exploitation (OSS Security).