CVE-2023-37941

CWE-502 — Deserialization of Untrusted Data5 documents5 sources

Severity

6.6MEDIUM

EPSS

84.2%

top 0.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Superset Apache Superset

Timeline

PublishedSep 6

Description

If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata db is an 'internal' component that is typically only accessible directly by the system administrator and the superset process itself. Gaining access to that database should be difficult and require significant privileges. This vulnerability impacts Apache Superset versions 1.5.…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.7 | Impact: 5.9

Affected Packages3 packages

▶PyPIapache-superset1.5.0 — 2.1.1

▶NVDapache/superset1.5.0 — 2.1.0

▶CVEListV5apache_software_foundation/apache_superset1.5.0 — 2.1.0

🔴Vulnerability Details

GHSA

Apache Superset Deserialization of Untrusted Data vulnerability↗2023-09-06

▶

OSV

Apache Superset Deserialization of Untrusted Data vulnerability↗2023-09-06

▶

CVEList

Apache Superset: Metadata db write access can lead to remote code execution↗2023-09-06

▶

VulnCheck

Apache superset Deserialization of Untrusted Data↗2023

▶