Vulnerabilities > CVE-2023-37941 - Deserialization of Untrusted Data vulnerability in Apache Superset

CVSS 6.6 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

high complexity

apache

CWE-502

NVD

Published: 2023-09-06

Updated: 2023-10-13

Summary

If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata db is an 'internal' component that is typically only accessible directly by the system administrator and the superset process itself. Gaining access to that database should be difficult and require significant privileges. This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0. Users are recommended to upgrade to version 2.1.1 or later.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Superset 1.5.0 Apache Superset 1.5.1 Apache Superset 2.0.0 Apache Superset 2.0.1 Apache Superset 2.1.0	20

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References