CVE-2018-8021

high-risk
Published 2018-11-07

Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.

Do I need to act?

!
65.3% chance of exploitation in next 30 days
EPSS score — higher than 35% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
45933
+
Fix available
Upgrade to: 0fcdfcfd8c20632298e2cd6a68462a9dab7dbc67
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Apache

References (4)

Patch https://github.com/apache/incubator-superset/pull/4243
Exploit https://www.exploit-db.com/exploits/45933/
Patch https://github.com/apache/incubator-superset/pull/4243
Exploit https://www.exploit-db.com/exploits/45933/
56
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 19/34 · Moderate
Exposure 5/34 · Minimal