Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2024-34693 PoC — Apache Superset: Server arbitrary file read

Source
https://github.com/mbadanoiu/CVE-2024-34693
Associated Vulnerability
Title:Apache Superset: Server arbitrary file read (CVE-2024-34693)
Description:Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0 Users are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue.
Description
CVE-2024-34693: Server Arbitrary File Read in Apache Superset
Readme
# CVE-2024-34693: Server Arbitrary File Read in Apache Superset

Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. By enabling local_infile in the Superset MySQL/MariaDB client and pointing the client to a malicious MySQL server, an attacker may launch “LOAD DATA LOCAL INFILE” (Rogue MySQL Server) attacks resulting in reading files from the server and inserting their content in a MariaDB database table.

### Vendor Disclosure:

The vendor's disclosure for this vulnerability can be found [here](https://lists.apache.org/thread/1803x1s34m7r71h1k0q1njol8k6fmyon).

### Requirements:

This vulnerability requires:
<br/>
- Valid credentials for a user which can create database connections
        <br/>OR
- Bypassing authentication via known Flask secret

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2024-34693/blob/main/Apache%20Superset%20-%20CVE-2024-34693.pdf).

### Additional Resources:

[Bettercap's mysql.server (rogue)](https://www.bettercap.org/modules/ethernet/servers/mysql.server/)

Blogposts from horizon3.ai regarding the exploitation of multiple Superset CVEs from 2023 [Part 1](https://www.horizon3.ai/attack-research/disclosures/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/) and [Part 2](https://www.horizon3.ai/attack-research/disclosures/apache-superset-part-ii-rce-credential-harvesting-and-more/)
File Snapshot

 [4.0K]  /data/pocs/0fb54d1272c890255d7d9b3ecc56679206f6b892
├── [2.2M]  Apache Superset - CVE-2024-34693.pdf
└── [1.5K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →