CVE-2018-8021
Apache Superset < 0.23 - Remote Code Execution
Severity Score
9.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.
Las versiones anteriores a la 0.23 de Superset empleaban un método inseguro de carga de la biblioteca pickle para deserializar datos, lo que conduce a una posible ejecución remota de código. Nota: Superset 0.23 se lanzó antes que cualquier distribución de Superset bajo la Apache Software Foundation.
Apache Superset version 0.23 suffers from a remote code execution vulnerability.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2018-03-09 CVE Reserved
- 2018-11-07 CVE Published
- 2018-12-03 First Exploit
- 2024-08-05 CVE Updated
- 2024-10-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (3)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/45933 | 2024-08-05 | |
https://github.com/r3dxpl0it/Apache-Superset-Remote-Code-Execution-PoC-CVE-2018-8021 | 2018-12-03 |
URL | Date | SRC |
---|---|---|
https://github.com/apache/incubator-superset/pull/4243 | 2019-01-30 |
URL | Date | SRC |
---|