Apache Superset Reverts MariaDB Security Patch, Reintroducing Arbitrary File Read Vulnerability CVE-2024-34693

A critical security fix addressing CVE-2024-34693 has been removed from Apache Superset, restoring a vulnerability that allows authenticated users to read arbitrary files from MariaDB servers. The revert strips away local_infile connection parameter restrictions from MariaDBEngineSpec, enabling LOAD DATA LOCAL INFILE to function without proper safeguards.

The original patch (PR #27919) implemented MariaDB engine specifications matching MySQL protections, specifically constraining the local_infile parameter that governs file read capabilities during database connections. By removing these restrictions, the commit permits authenticated Superset users to establish MariaDB connections with local_infile enabled, creating a pathway to exfiltrate server-side file contents through specially crafted queries.

The vulnerability carries GHSA identifier GHSA-hcr7-cqwc-q5gq and stems from inadequate enforcement of connection parameter controls during database connector initialization. Security researchers note that the local_infile mechanism, when unrestricted, allows clients to request the server read files accessible to the database process and return their contents over the connection. In a Superset deployment context, this elevates the risk since authenticated users across an organization can potentially access sensitive system files through compromised database connectors.

Organizations running Apache Superset instances with MariaDB integrations should evaluate immediate mitigation strategies, including restricting user permissions at the database level, auditing connection configurations, and monitoring for unusual LOAD DATA LOCAL INFILE activity. The security community continues to track whether a corrected patch will follow this revert, as the underlying file read exposure remains active in affected deployments.