CVE-2023-37941

Published: Sep 6, 2023

Modified: Feb 13, 2025

PUBLISHED

CVSS v3.1

6.6

MEDIUM

Description

If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata db is an 'internal' component that is typically only accessible directly by the system administrator and the superset process itself. Gaining access to that database should be difficult and require significant privileges. This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0. Users are recommended to upgrade to version 2.1.1 or later.

Vendor	Product	Versions
Apache Software Foundation	Apache Superset	affected `1.5.0 - <= 2.1.0`

Weaknesses (CWE)

CWE-502

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://lists.apache.org/thread/6qk1zscc06yogxxfgz2bh2bvz6vh9g7h

vendor-advisory

http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-37941

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References