CVE-2023-37941 MEDIUM

CVE-2023-37941: Apache Superset: Metadata db write access can lead to remote code execution

Vendor Apache Software Foundation

Product Apache Superset

Weakness CWE-502 · Unsafe deserialization

Published September 6, 2023

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

6.6/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

Description

If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata db is an 'internal' component that is typically only accessible directly by the system administrator and the superset process itself. Gaining access to that database should be difficult and require significant privileges. This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0. Users are recommended to upgrade to version 2.1.1 or later.

Key dates

Disclosure timeline

September 6, 2023 CVE published

February 13, 2025 Record updated

Identifiers

CVE CVE-2023-37941

CWE CWE-502

CVSS 6.6 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache Superset

Affected ≥ 1.5.0 and ≤ 2.1.0