CVE-2021-41971

Summary

Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with a custom URL.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache SupersetApache Superset < 1.3.1affected

Weaknesses

  • CWE-89: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Workarounds

Don't enable ENABLE_TEMPLATE_PROCESSING (disabled by default). Or upgrade to Apache Superset 1.3.1

ADP Enrichment

CVE Program Container

Additional References

References