Опубликовано: 09 нояб. 2018
Источник: github
Github: Прошло ревью
CVSS4: 9.3
CVSS3: 9.8
Описание
Deserialization of Untrusted Data in superset
Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2018-8021
- https://github.com/apache/incubator-superset/pull/4243
- https://github.com/apache/superset/pull/4243
- https://github.com/apache/superset/commit/2c72a7ae4fc0a8bac1f037a79efa90e1c5549710
- https://github.com/advisories/GHSA-vxp9-wv2f-wqmw
- https://github.com/pypa/advisory-database/tree/main/vulns/superset/PYSEC-2018-74.yaml
- https://www.exploit-db.com/exploits/45933
Пакеты
Наименование
superset
pip
Затронутые версииВерсия исправления
< 0.23
0.23
EPSS
Процентиль: 99%
0.78272
Высокий
9.3 Critical
CVSS4
9.8 Critical
CVSS3
CVE ID
Дефекты
CWE-502
Связанные уязвимости
CVSS3: 9.8
nvd
больше 7 лет назад
Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.
EPSS
Процентиль: 99%
0.78272
Высокий
9.3 Critical
CVSS4
9.8 Critical
CVSS3
CVE ID
Дефекты
CWE-502