CVE-2022-41703 - Vulnerability Details - OpenCVE

A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag "ALLOW_ADHOC_SUBQUERY" disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00153.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Apache	Superset

Configuration 1 [-]

OR	cpe:2.3:a:apache:superset::::::::
	cpe:2.3:a:apache:superset:2.0.0:-::::::
	cpe:2.3:a:apache:superset:2.0.0:rc1::::::
	cpe:2.3:a:apache:superset:2.0.0:rc2::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-0451	A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag "ALLOW_ADHOC_SUBQUERY" disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.
Github GHSA	GHSA-cxvp-3frm-3876	Apache Superset's SQL Alchemy connector vulnerable to SQL Injection

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://lists.apache.org/thread/g7jjw0okxjk5y57pbbxy19ydw42kqcos

History

Tue, 08 Apr 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-01-16T10:14:01.332Z

Updated: 2025-04-08T20:33:49.417Z

Reserved: 2022-09-28T15:13:03.943Z

Link: CVE-2022-41703

Vulnrichment

Updated: 2024-08-03T12:49:43.809Z

NVD

Status : Modified

Published: 2023-01-16T11:15:10.303

Modified: 2025-04-08T21:15:44.640

Link: CVE-2022-41703

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-41703", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2022-09-28T15:13:03.943Z", "datePublished": "2023-01-16T10:14:01.332Z", "dateUpdated": "2025-04-08T20:33:49.417Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Superset", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.0.1", "status": "affected", "version": "2.0.0", "versionType": "semver"}, {"lessThanOrEqual": "1.5.2", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Mingyu Son"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag \"ALLOW_ADHOC_SUBQUERY\" disabled (default value). <span style=\"background-color: rgb(255, 255, 255);\">This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.\n</span><br><br>"}], "value": "A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag \"ALLOW_ADHOC_SUBQUERY\" disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.\n\n\n"}], "metrics": [{"other": {"content": {"text": "critical"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"description": "SQL injection in certain query object fields", "lang": "en"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-04-11T14:58:51.125Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/g7jjw0okxjk5y57pbbxy19ydw42kqcos"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Superset: SQL injection vulnerability in adhoc clauses", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:49:43.809Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/g7jjw0okxjk5y57pbbxy19ydw42kqcos"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-08T20:32:13.091581Z", "id": "CVE-2022-41703", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T20:33:49.417Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/g7jjw0okxjk5y57pbbxy19ydw42kqcos", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:49:43.809Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-41703", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-08T20:32:13.091581Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T20:33:19.406Z"}}], "cna": {"title": "Apache Superset: SQL injection vulnerability in adhoc clauses", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Mingyu Son"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "critical"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Superset", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "2.0.1", "versionType": "semver"}, {"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.5.2"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/g7jjw0okxjk5y57pbbxy19ydw42kqcos", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag \"ALLOW_ADHOC_SUBQUERY\" disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.\n\n\n", "supportingMedia": [{"type": "text/html", "value": "A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag \"ALLOW_ADHOC_SUBQUERY\" disabled (default value). <span style=\"background-color: rgb(255, 255, 255);\">This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.\n</span><br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "SQL injection in certain query object fields"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-04-11T14:58:51.125Z"}}}, "cveMetadata": {"cveId": "CVE-2022-41703", "state": "PUBLISHED", "dateUpdated": "2025-04-08T20:33:49.417Z", "dateReserved": "2022-09-28T15:13:03.943Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2023-01-16T10:14:01.332Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*", "matchCriteriaId": "CD514249-ED9E-45F1-9D50-4A7CE6DB166B", "versionEndIncluding": "1.5.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:superset:2.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "35CD3C6F-B3E0-437C-A1D7-EF700C76923C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:superset:2.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "ADD3485B-3FFC-4B60-89F5-E4ECA0C680B6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:superset:2.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "BC060A49-79ED-4539-9E68-EDB15D7F2445", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag \"ALLOW_ADHOC_SUBQUERY\" disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.\n\n\n"}, {"lang": "es", "value": "Una vulnerabilidad en el conector SQL Alchemy de Apache Superset permite a un usuario autenticado con acceso de lectura a una base de datos espec\u00edfica agregar subconsultas a los campos WHERE y HAVING que hacen referencia a tablas en la misma base de datos a la que el usuario no deber\u00eda tener acceso, a pesar de que el usuario tiene la indicador de funci\u00f3n \"ALLOW_ADHOC_SUBQUERY\" deshabilitado (valor predeterminado). Este problema afecta a Apache Superset versi\u00f3n 1.5.2 y versiones anteriores y a la versi\u00f3n 2.0.0."}], "id": "CVE-2022-41703", "lastModified": "2025-04-08T21:15:44.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-01-16T11:15:10.303", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.apache.org/thread/g7jjw0okxjk5y57pbbxy19ydw42kqcos"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.apache.org/thread/g7jjw0okxjk5y57pbbxy19ydw42kqcos"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}