CVE-2023-37941 — MEDIUM (6.6)

Q: How severe is CVE-2023-37941?

CVE-2023-37941 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-37941?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Superset.

Vulnerability Description

If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata db is an 'internal' component that is typically only accessible directly by the system administrator and the superset process itself. Gaining access to that database should be difficult and require significant privileges. This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0. Users are recommended to upgrade to version 2.1.1 or later.

CVSS Score

6.6

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Superset	>= 1.5.0, <= 2.1.0

Related Weaknesses (CWE)

CWE-502

References

FAQ

What is CVE-2023-37941?

CVE-2023-37941 is a vulnerability with a CVSS score of 6.6 (MEDIUM). If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. T...

How severe is CVE-2023-37941?

CVE-2023-37941 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-37941?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Superset.