CVE-2018-8021

CRITICAL

Superset <0.23 - Code Injection

Title source: llm

Description

Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.

Exploits (2)

exploitdb WORKING POC

by David May · pythonwebappslinux

https://www.exploit-db.com/exploits/45933

View Code ZIP pw:eip

nomisec WORKING POC 106 stars

by r3dxpl0it · poc

https://github.com/r3dxpl0it/Apache-Superset-Remote-Code-Execution-PoC-CVE-2018-8021

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/45933/

[Patch, Third Party Advisory] https://github.com/apache/incubator-superset/pull/4243

Scores

CVSS v3 9.8

EPSS 0.6526

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (2)

apache/superset < 0.23

pypi/superset 0 - 0.23PyPI

Published Nov 07, 2018

Tracked Since Feb 18, 2026