### [CVE-2024-39887](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39887)
![](https://img.shields.io/static/v1?label=Product&message=Apache%20Superset&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-89%20Improper%20Neutralization%20of%20Special%20Elements%20used%20in%20an%20SQL%20Command%20('SQL%20Injection')&color=brightgreen)

### Description

An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions: version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection.This issue affects Apache Superset: before 4.0.2.Users are recommended to upgrade to version 4.0.2, which fixes the issue.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/20142995/nuclei-templates
- https://github.com/ARPSyndicate/cve-scores
- https://github.com/cyb3r-w0lf/nuclei-template-collection