Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZ4cDktd3YyZi13cW13

Deserialization of Untrusted Data in superset

Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.

Permalink: https://github.com/advisories/GHSA-vxp9-wv2f-wqmw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZ4cDktd3YyZi13cW13
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 6 years ago
Updated: about 2 months ago

CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.84241
EPSS Percentile: 0.98708

Identifiers: GHSA-vxp9-wv2f-wqmw, CVE-2018-8021
References:

Repository: https://github.com/apache/superset
Blast Radius: 13.0

Affected Packages

pypi:superset

Dependent packages: 1
Dependent repositories: 21
Downloads: 2,534 last month
Affected Version Ranges: < 0.23
Fixed in: 0.23
All affected versions: 0.13.2, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.15.3, 0.15.4, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.17.5, 0.17.6, 0.18.0, 0.18.2, 0.18.3, 0.18.4, 0.18.5, 0.19.0, 0.19.1, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.20.4, 0.20.5, 0.20.6, 0.21.0, 0.21.1, 0.22.0, 0.22.1
All unaffected versions: 0.23.0, 0.23.1, 0.23.2, 0.23.3, 0.24.0, 0.25.0, 0.25.1, 0.25.2, 0.25.3, 0.25.4, 0.25.5, 0.25.6, 0.26.0, 0.26.2, 0.26.3, 0.27.0, 0.28.0, 0.28.1, 0.30.0, 0.30.1