CVE-2023-37941
Apache Superset: Metadata db write access can lead to remote code execution
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend.
The Superset metadata db is an 'internal' component that is typically
only accessible directly by the system administrator and the superset
process itself. Gaining access to that database should
be difficult and require significant privileges.
This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0. Users are recommended to upgrade to version 2.1.1 or later.
Si un atacante obtiene acceso de escritura a la base de datos de metadatos de Apache Superset, podría conservar un objeto Python específicamente manipulado que puede conducir a la ejecución remota de código en el backend web de Superset. La base de datos de metadatos del Superset es un componente "interno" al que normalmente solo pueden acceder directamente el administrador del sistema y el propio proceso del Superset. Obtener acceso a esa base de datos debería ser difícil y requerir importantes privilegios. Esta vulnerabilidad afecta a las versiones 1.5.0 de Apache Superset hasta la 2.1.0 incluida. Se recomienda a los usuarios actualizar a la versión 2.1.1 o posterior.
Apache Superset versions 2.0.0 and below utilize Flask with a known default secret key which is used to sign HTTP cookies. These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that of an administrator, and re-sign the cookie. This valid cookie can then be used to login as the targeted user. From there the Superset database is mounted, and credentials are pulled. A dashboard is then created. Lastly a pickled python payload can be set for that dashboard within Superset's database which will trigger the remote code execution. An attempt to clean up ALL of the dashboard key values and reset them to their previous values happens during the cleanup phase.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2023-05-08 First Exploit
- 2023-07-11 CVE Reserved
- 2023-09-06 CVE Published
- 2024-09-27 CVE Updated
- 2024-10-08 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (8)
URL | Date | SRC |
---|---|---|
https://github.com/Barroqueiro/CVE-2023-37941 | 2023-05-08 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://lists.apache.org/thread/6qk1zscc06yogxxfgz2bh2bvz6vh9g7h | 2023-10-13 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Superset Search vendor "Apache" for product "Superset" | >= 1.5.0 <= 2.1.0 Search vendor "Apache" for product "Superset" and version " >= 1.5.0 <= 2.1.0" | - |
Affected
|