CVE-2023-37941

MEDIUM EXPLOITED

Apache Superset < 2.1.0 - Insecure Deserialization

Title source: rule

Description

If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata db is an 'internal' component that is typically only accessible directly by the system administrator and the superset process itself. Gaining access to that database should be difficult and require significant privileges. This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0. Users are recommended to upgrade to version 2.1.1 or later.

Exploits (1)

nomisec WORKING POC 1 stars

by Barroqueiro · remote-auth

https://github.com/Barroqueiro/CVE-2023-37941

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://lists.apache.org/thread/6qk1zscc06yogxxfgz2bh2bvz6vh9g7h

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html

Scores

CVSS v3 6.6

EPSS 0.8427

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

VulnCheck KEV 2025-08-12

Classification

CWE

CWE-502

Status published

Affected Products (2)

apache/superset < 2.1.0

pypi/apache-superset < 2.1.1PyPI

Timeline

Published Sep 06, 2023

Tracked Since Feb 18, 2026