Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-37941

If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata db is an 'internal' component that is typically only accessible directly by the system administrator and the superset process itself. Gaining access to that database should be difficult and require significant privileges. This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0. Users are recommended to upgrade to version 2.1.1 or later.

Published

2023-09-06T14:15:10.483

Last Modified

2025-02-13T17:16:46.787

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.6 (MEDIUM)

Weaknesses

Type: Primary
CWE-502
Type: Secondary
CWE-502

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	superset	≤ 2.1.0	Yes

References

http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html ([email protected])
https://lists.apache.org/thread/6qk1zscc06yogxxfgz2bh2bvz6vh9g7h Vendor Advisory ([email protected])
http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/6qk1zscc06yogxxfgz2bh2bvz6vh9g7h Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)