Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZ4cDktd3YyZi13cW13
Deserialization of Untrusted Data in superset
Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.
Permalink: https://github.com/advisories/GHSA-vxp9-wv2f-wqmwJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZ4cDktd3YyZi13cW13
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 5 years ago
Updated: 8 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-vxp9-wv2f-wqmw, CVE-2018-8021
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-8021
- https://www.exploit-db.com/exploits/45933/
- https://github.com/apache/superset/pull/4243
- https://github.com/apache/superset/commit/2c72a7ae4fc0a8bac1f037a79efa90e1c5549710
- https://github.com/advisories/GHSA-vxp9-wv2f-wqmw
Blast Radius: 13.0
Affected Packages
pypi:superset
Dependent packages: 1Dependent repositories: 21
Downloads: 1,516 last month
Affected Version Ranges: < 0.23
Fixed in: 0.23
All affected versions: 0.13.2, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.15.3, 0.15.4, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.17.5, 0.17.6, 0.18.0, 0.18.2, 0.18.3, 0.18.4, 0.18.5, 0.19.0, 0.19.1, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.20.4, 0.20.5, 0.20.6, 0.21.0, 0.21.1, 0.22.0, 0.22.1
All unaffected versions: 0.23.0, 0.23.1, 0.23.2, 0.23.3, 0.24.0, 0.25.0, 0.25.1, 0.25.2, 0.25.3, 0.25.4, 0.25.5, 0.25.6, 0.26.0, 0.26.2, 0.26.3, 0.27.0, 0.28.0, 0.28.1, 0.30.0, 0.30.1