[CVE-2020-13948] Apache Superset Remote Code Execution Vulnerability

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[CVE-2020-13948] Apache Superset Remote Code Execution Vulnerability

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: William Barrett &lt;will () preset io&gt;

Date: Tue, 15 Sep 2020 09:37:34 -0700

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Affected Versions: Apache Superset &lt; 0.37.1

While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests 
via a number of templated text fields in the product that would allow arbitrary access to Python’s `os` package in the 
web application process. It was thus possible for an authenticated user to list and access files, environment 
variables, and process information. Additionally it was possible to set environment variables for the current process, 
create and update files in folders writable by the web process, and execute arbitrary programs accessible by the web 
process. All other operations available to the `os` package in Python were also available, even if not explicitly 
enumerated in this CVE.

Will Barrett
Staff Software Engineer
Preset, Inc. | https://preset.io

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

[CVE-2020-13948] Apache Superset Remote Code Execution Vulnerability William Barrett (Sep 15)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->