CVE-2023-37941

Name of the Vulnerable Software and Affected Versions Apache Superset versions 1.5.0 through 2.1.0

Description The issue is related to a software vulnerability in Apache Superset, specifically a deserialization mechanism flaw. If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata database is an internal component, typically only accessible directly by the system administrator and the Superset process itself, and gaining access to it should be difficult and require significant privileges. Approximately 15,849 results were found, indicating potential exposure.

Recommendations To resolve the issue, users are recommended to upgrade to Apache Superset version 2.1.1 or later. As a temporary workaround, consider restricting access to the Superset metadata database to minimize the risk of exploitation. Additionally, system administrators should ensure that the Superset process itself and the metadata database are properly secured to prevent unauthorized access.