CVE-2023-37941

If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata db is an 'internal' component that is typically only accessible directly by the system administrator and the superset process itself. Gaining access to that database should be difficult and require significant privileges. This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0. Users are recommended to upgrade to version 2.1.1 or later.
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

History

13 Oct 2023, 16:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html -

29 Sep 2023, 18:25

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.8
v2 : unknown
v3 : 6.6

29 Sep 2023, 17:15

Type Values Removed Values Added
Summary If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0. If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata db is an 'internal' component that is typically only accessible directly by the system administrator and the superset process itself. Gaining access to that database should be difficult and require significant privileges. This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0. Users are recommended to upgrade to version 2.1.1 or later.

12 Sep 2023, 14:53

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
CPE cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*
First Time Apache
Apache superset
References (MISC) https://lists.apache.org/thread/6qk1zscc06yogxxfgz2bh2bvz6vh9g7h - (MISC) https://lists.apache.org/thread/6qk1zscc06yogxxfgz2bh2bvz6vh9g7h - Vendor Advisory

06 Sep 2023, 14:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-09-06 14:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-37941

Mitre link : CVE-2023-37941

CVE.ORG link : CVE-2023-37941


JSON object : View

Products Affected

apache

  • superset
CWE
CWE-502

Deserialization of Untrusted Data