{"api_version":"1","generated_at":"2026-04-11T14:58:58+00:00","cve":"CVE-2023-37941","urls":{"html":"https://cve.report/CVE-2023-37941","api":"https://cve.report/api/cve/CVE-2023-37941.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-37941","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-37941"},"summary":{"title":"CVE-2023-37941","description":"If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend.\n\nThe Superset metadata db is an 'internal' component that is typically \nonly accessible directly by the system administrator and the superset \nprocess itself. Gaining access to that database should\n be difficult and require significant privileges.\n\nThis vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0. Users are recommended to upgrade to version 2.1.1 or later.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2023-09-06 14:15:00","updated_at":"2023-10-13 16:15:00"},"problem_types":["CWE-502"],"metrics":[],"references":[{"url":"http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html","name":"http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html","refsource":"MISC","tags":[],"title":"Apache Superset 2.0.0 Remote Code Execution ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread/6qk1zscc06yogxxfgz2bh2bvz6vh9g7h","name":"https://lists.apache.org/thread/6qk1zscc06yogxxfgz2bh2bvz6vh9g7h","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-37941","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37941","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"37941","vulnerable":"1","versionEndIncluding":"2.1.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"superset","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-37941","ASSIGNER":"security@apache.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend.\n\nThe Superset metadata db is an 'internal' component that is typically \nonly accessible directly by the system administrator and the superset \nprocess itself. Gaining access to that database should\n be difficult and require significant privileges.\n\nThis vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0. Users are recommended to upgrade to version 2.1.1 or later.\n\n"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-502 Deserialization of Untrusted Data","cweId":"CWE-502"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Apache Software Foundation","product":{"product_data":[{"product_name":"Apache Superset","version":{"version_data":[{"version_affected":"<=","version_name":"1.5.0","version_value":"2.1.0"}]}}]}}]}},"references":{"reference_data":[{"url":"https://lists.apache.org/thread/6qk1zscc06yogxxfgz2bh2bvz6vh9g7h","refsource":"MISC","name":"https://lists.apache.org/thread/6qk1zscc06yogxxfgz2bh2bvz6vh9g7h"},{"url":"http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html","refsource":"MISC","name":"http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"discovery":"UNKNOWN"},"credits":[{"lang":"en","value":"Dinis Cruz, cruzdinis@ua.pt"},{"lang":"en","value":"Naveen Sunkavally (Horizon3.ai)"}],"impact":{"cvss":[{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.6,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}]}},"nvd":{"publishedDate":"2023-09-06 14:15:00","lastModifiedDate":"2023-10-13 16:15:00","problem_types":["CWE-502"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":6.6,"baseSeverity":"MEDIUM"},"exploitabilityScore":0.7,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*","versionStartIncluding":"1.5.0","versionEndIncluding":"2.1.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}