Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-8021 — Deserialization of Untrusted Data in Apache Superset

CWE-502 — Deserialization of Untrusted Data6 documents5 sources

Severity

9.8CRITICALNVD

EPSS

65.3%

top 1.51%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apache Superset

Timeline

PublishedNov 7

Latest updateDec 3

Description

Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/superset< 0.23

▶PyPIapache/superset< 0.23+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Deserialization of Untrusted Data in superset↗2018-11-09

▶

GHSA

Deserialization of Untrusted Data in superset↗2018-11-09

▶

CVEList

CVE-2018-8021: Versions of Superset prior to 0↗2018-11-07

▶

OSV

CVE-2018-8021: Versions of Superset prior to 0↗2018-11-07

▶

💥Exploits & PoCs

Exploit-DB

Apache Superset < 0.23 - Remote Code Execution↗2018-12-03

▶