CVE-2023-37941
MEDIUM EXPLOITEDApache Superset < 2.1.0 - Insecure Deserialization
Title source: ruleDescription
If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata db is an 'internal' component that is typically only accessible directly by the system administrator and the superset process itself. Gaining access to that database should be difficult and require significant privileges. This vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0. Users are recommended to upgrade to version 2.1.1 or later.
Exploits (1)
nomisec
WORKING POC
1 stars
by Barroqueiro · remote-auth
https://github.com/Barroqueiro/CVE-2023-37941
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
https://lists.apache.org/thread/6qk1zscc06yogxxfgz2bh2bvz6vh9g7h
Exploit, Third Party Advisory
http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html
Scores
CVSS v3
6.6
EPSS
0.8424
EPSS Percentile
99.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
VulnCheck KEV
2025-08-12
CWE
CWE-502
Status
published
Products (2)
apache/superset
1.5.0 - 2.1.0
pypi/apache-superset
1.5.0 - 2.1.1PyPI
Published
Sep 06, 2023
Tracked Since
Feb 18, 2026