CVE-2018-8021

CRITICAL

Superset <0.23 - Code Injection

Title source: llm

Description

Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.

Exploits (2)

nomisec WORKING POC 106 stars

by r3dxpl0it · poc

https://github.com/r3dxpl0it/Apache-Superset-Remote-Code-Execution-PoC-CVE-2018-8021

View Code ZIP pw:eip

exploitdb WORKING POC

by David May · pythonwebappslinux

https://www.exploit-db.com/exploits/45933

View Code ZIP pw:eip

References (2)

[Patch, Third Party Advisory] https://github.com/apache/incubator-superset/pull/4243

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/45933/

Scores

CVSS v3 9.8

EPSS 0.6994

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

apache/superset < 0.23

pypi/superset < 0.23PyPI

Timeline

Published Nov 07, 2018

Tracked Since Feb 18, 2026