Apache SuperSet has released patches to address two critical security vulnerabilities, CVE-2023-39265 and CVE-2023-37941. These vulnerabilities could potentially allow attackers to execute remote code on compromised systems by gaining control of Superset’s metadata database.
CVE-2023-39265 involves a URI bypass issue when connecting to the SQLite database used for the metastore, enabling data manipulation commands. It also includes a lack of validation when importing SQLite database connection information from a file, which could lead to the importation of a malicious ZIP archive file.
The CVE-2023-37941 pertains to the use of Python’s pickle package in Superset versions from 1.5 to 2.1.0, allowing attackers with write access to the metadata database to insert arbitrary pickle payloads and trigger remote code execution.
The latest Superset update also addresses other vulnerabilities, including an arbitrary file read issue in MySQL, abuse of the “superset load_examples” command, default credential usage to access the metadata database, and plaintext database credential exposure when querying the /api/v1/database API as a privileged user (CVE-2023-30776).
These vulnerabilities could pose significant security risks to Superset users if left unpatched. This disclosure follows a previous high-severity vulnerability (CVE-2023-27524) disclosed in April 2023, where attackers could gain admin access to servers and execute arbitrary code due to the use of a default SECRET_KEY.
It was noted that a significant number of Superset servers still use default or easily guessable SECRET_KEY values. The security issues stem from the Superset web interface’s ability to allow users to connect to the metadata database, highlighting the importance of maintaining strong security practices in Superset configurations.