Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-fj4x-m62j-wvwg: Apache Superset Deserialization of Untrusted Data vulnerability

If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset’s web backend. This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0.

ghsa
#vulnerability#web#apache#git#rce

Apache Superset Deserialization of Untrusted Data vulnerability

Moderate severity GitHub Reviewed Published Sep 6, 2023 to the GitHub Advisory Database • Updated Sep 8, 2023

Related news

Alert: Apache SuperSet Vulnerabilities Expose Servers to Remote Code Execution Attacks

Patches have been released to address two new security vulnerabilities in Apache SuperSet that could be exploited by an attacker to gain remote code execution on affected systems. The update (version 2.1.1) plugs CVE-2023-39265 and CVE-2023-37941, which make it possible to conduct nefarious actions once a bad actor is able to gain control of Superset’s metadata database. Outside of these

CVE-2023-37941

If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0.