CVE-2023-37941: Deserialization of Untrusted Data

September 6, 2023 (updated October 13, 2023)

If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset’s web backend. This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0.

References

lists.apache.org/thread/6qk1zscc06yogxxfgz2bh2bvz6vh9g7h
nvd.nist.gov/vuln/detail/CVE-2023-37941

Code Behaviors & Features

Detect and mitigate CVE-2023-37941 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →