CVE-2020-13948OS Command Injection in Apache Superset

CWE-78OS Command Injection5 documents4 sources
Severity
8.8HIGHNVD
EPSS
0.7%
top 27.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache SupersetApache Software Foundation Apache Superset
Timeline
PublishedSep 17
Latest updateMay 24

Description

While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python’s `os` package in the web application process in versions < 0.37.1. It was thus possible for an authenticated user to list and access files, environment variables, and process information. Additionally it was possible to set environment variables for the current process, create and u

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDapache/superset< 0.37.1
CVEListV5apache_software_foundation/apache_supersetApache Superset < 0.37.1

🔴Vulnerability Details

4
GHSA
Apache Superset OS Command Injection2022-05-24
OSV
Apache Superset OS Command Injection2022-05-24
OSV
CVE-2020-13948: While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text2020-09-17
CVEList
CVE-2020-13948: While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text2020-09-17
CVE-2020-13948 — OS Command Injection in Apache | cvebase