BIT-superset-2023-37941

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/superset/BIT-superset-2023-37941.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-superset-2023-37941

Aliases

Published

2025-02-05T07:27:54.294Z

Modified

2025-05-20T10:02:07.006Z

Summary

Apache Superset: Metadata db write access can lead to remote code execution

Details

If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend.

The Superset metadata db is an 'internal' component that is typically only accessible directly by the system administrator and the superset process itself. Gaining access to that database should be difficult and require significant privileges.

This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0. Users are recommended to upgrade to version 2.1.1 or later.

Database specific

{
    "severity": "Medium",
    "cpes": [
        "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*"
    ]
}

References

Affected packages

Bitnami / superset

Package

Name: superset
Purl: pkg:bitnami/superset

Severity

6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

1.5.0

Fixed

2.1.1