来源

关联漏洞

Description

CVE-2024-34693: Server Arbitrary File Read in Apache Superset

介绍

# CVE-2024-34693: Server Arbitrary File Read in Apache Superset

Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. By enabling local_infile in the Superset MySQL/MariaDB client and pointing the client to a malicious MySQL server, an attacker may launch “LOAD DATA LOCAL INFILE” (Rogue MySQL Server) attacks resulting in reading files from the server and inserting their content in a MariaDB database table.

### Vendor Disclosure:

The vendor's disclosure for this vulnerability can be found [here](https://lists.apache.org/thread/1803x1s34m7r71h1k0q1njol8k6fmyon).

### Requirements:

This vulnerability requires:
<br/>
- Valid credentials for a user which can create database connections
        <br/>OR
- Bypassing authentication via known Flask secret

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2024-34693/blob/main/Apache%20Superset%20-%20CVE-2024-34693.pdf).

### Additional Resources:

[Bettercap's mysql.server (rogue)](https://www.bettercap.org/modules/ethernet/servers/mysql.server/)

Blogposts from horizon3.ai regarding the exploitation of multiple Superset CVEs from 2023 [Part 1](https://www.horizon3.ai/attack-research/disclosures/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/) and [Part 2](https://www.horizon3.ai/attack-research/disclosures/apache-superset-part-ii-rce-credential-harvesting-and-more/)

文件快照

 [4.0K]  /data/pocs/0fb54d1272c890255d7d9b3ecc56679206f6b892
├── [2.2M]  Apache Superset - CVE-2024-34693.pdf
└── [1.5K]  README.md

0 directories, 2 files

备注