CVE-2018-8021

Published: Nov 7, 2018Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.

Affected (1)

Products: Apache: Superset

Apache

1 product

Superset

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Superset	Before 0.23

Related CWEs

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (4)

https://github.com/apache/incubator-superset/pull/4243

Source: security@apache.org

PatchThird Party Advisory

https://www.exploit-db.com/exploits/45933/

Source: security@apache.org

ExploitThird Party AdvisoryVDB Entry

https://github.com/apache/incubator-superset/pull/4243

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.exploit-db.com/exploits/45933/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

Timeline

No history available yet.