CVE-2023-49736 Information

Description

A where_in JINJA macro allows users to specify a quote which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.This issue affects Apache Superset: before 2.1.2 from 3.0.0 before 3.0.2.

Users are recommended to upgrade to version 3.0.2 which fixes the issue.

Reference

https://lists.apache.org/thread/1kf481bgs3451qcz6hfhobs7xvhp8n1p http://www.openwall.com/lists/oss-security/2023/12/19/2