Vulnerabilities > CVE-2018-8021 - Deserialization of Untrusted Data vulnerability in Apache Superset

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

apache

CWE-502

critical

exploit available

NVD

Published: 2018-11-07

Updated: 2019-01-30

Summary

Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Superset 0.2.0 Apache Superset 0.2.1 Apache Superset 0.4.0 Apache Superset 0.5.0 Apache Superset 0.5.1 Apache Superset 0.5.2 Apache Superset 0.5.3 Apache Superset 0.6.0 Apache Superset 0.6.1 Apache Superset 0.7.0 Apache Superset 0.8.0 Apache Superset 0.8.1 Apache Superset 0.8.2 Apache Superset 0.8.3 Apache Superset 0.8.4 Apache Superset 0.8.5 Apache Superset 0.8.6 Apache Superset 0.8.7 Apache Superset 0.8.8 Apache Superset 0.8.9 Apache Superset 0.9.0 Apache Superset 0.9.1 Apache Superset 0.10.0 Apache Superset 0.11.0 Apache Superset 0.12.0 Apache Superset 0.13.0 Apache Superset 0.13.1 Apache Superset 0.13.2 Apache Superset 0.14.0 Apache Superset 0.14.1 Apache Superset 0.15.0 Apache Superset 0.15.1 Apache Superset 0.15.2 Apache Superset 0.15.3 Apache Superset 0.15.4 Apache Superset 0.15.4.1 Apache Superset 0.16.0 Apache Superset 0.16.1 Apache Superset 0.17.0 Apache Superset 0.17.1 Apache Superset 0.17.2 Apache Superset 0.17.3 Apache Superset 0.17.4 Apache Superset 0.17.5 Apache Superset 0.17.6 Apache Superset 0.18.0 Apache Superset 0.18.2 Apache Superset 0.18.3 Apache Superset 0.18.4 Apache Superset 0.18.5 Apache Superset 0.19.0 Apache Superset 0.19.1 Apache Superset 0.20.0 Apache Superset 0.20.1 Apache Superset 0.20.2 Apache Superset 0.20.3 Apache Superset 0.20.4 Apache Superset 0.20.5 Apache Superset 0.20.6 Apache Superset 0.21.0 Apache Superset 0.21.1 Apache Superset 0.21.2 Apache Superset 0.22.0 Apache Superset 0.22.1	75

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Exploit-Db

id	EDB-ID:45933

Packetstorm

data source	https://packetstormsecurity.com/files/download/150602/apachesuperset023-exec.txt
id	PACKETSTORM:150602
last seen	2018-12-04
published	2018-12-04
reporter	David May
source	https://packetstormsecurity.com/files/150602/Apache-Superset-0.23-Remote-Code-Execution.html
title	Apache Superset 0.23 Remote Code Execution

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Packetstorm

References