CVE-2021-41971: Apache Superset: Possible SQL Injection when template processing is enabled

[Daniel Gaspar <dpgaspar () apache org>]

Severity: low

Description:

Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) 
allowed SQL injection when a malicious authenticated user sends an http request with a custom URL.


Mitigation:

Don't enable ENABLE_TEMPLATE_PROCESSING (disabled by default).
Or upgrade to Apache Superset 1.3.1 

Credit:

Apache Superset would like to thank Kevin Kusnardi for reporting this issue