CVE-2020-13948 Overview
CVE-2020-13948 is a critical Server-Side Template Injection (SSTI) vulnerability affecting Apache Superset, the popular open-source business intelligence and data visualization platform. This vulnerability allows authenticated users to craft malicious requests through templated text fields that provide arbitrary access to Python's os package within the web application process.
The vulnerability enables a wide range of attacks including file system access, environment variable manipulation, and arbitrary program execution. An authenticated attacker can leverage this flaw to list and access files, read environment variables containing sensitive configuration data, access process information, create or modify files in writable directories, and execute arbitrary programs accessible by the web process.
Critical Impact
Authenticated attackers can achieve full remote code execution on the Apache Superset server, enabling complete system compromise through Python's os module access.
Affected Products
- Apache Superset versions prior to 0.37.1
Discovery Timeline
- 2020-09-17 - CVE CVE-2020-13948 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-13948
Vulnerability Analysis
This vulnerability represents a Server-Side Template Injection (SSTI) flaw within Apache Superset's templating engine. The application fails to properly sanitize user-supplied input in various templated text fields, allowing authenticated users to inject malicious template directives that execute arbitrary Python code on the server.
The core issue stems from the Jinja2 templating engine's ability to evaluate Python expressions when processing user-controlled template strings. When an attacker injects template syntax that references Python's os module, the server evaluates these expressions within the context of the web application process.
The attack surface is network-accessible and requires low privileges (authenticated user access), with no user interaction needed. A successful exploit results in complete compromise of confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause of CVE-2020-13948 lies in insufficient input validation and sandboxing of the Jinja2 template engine used by Apache Superset. The application allows authenticated users to supply template expressions in multiple text fields without properly restricting access to dangerous Python modules and built-in functions.
Specifically, the templating system fails to implement a secure sandbox that would prevent access to Python's os package and other potentially dangerous namespaces. The template context is not properly isolated, allowing template expressions to traverse object hierarchies and access sensitive modules through Python's object introspection capabilities.
Attack Vector
The attack requires an authenticated user account on the Apache Superset instance. An attacker can exploit this vulnerability through the following mechanism:
- The attacker authenticates to Apache Superset with valid credentials
- The attacker navigates to any feature utilizing templated text fields (charts, dashboards, SQL Lab, etc.)
- Malicious Jinja2 template expressions are injected that reference Python's os module
- When the template is processed by the server, the injected code executes with the privileges of the web application process
- The attacker gains the ability to read files, execute commands, and fully compromise the server
The exploitation leverages Jinja2's template syntax to access Python built-in classes and traverse to the os module. Common payloads involve accessing __subclasses__ of base objects to reach classes that import the os module, or utilizing Jinja2's namespace features to directly reference dangerous functions.
Detection Methods for CVE-2020-13948
Indicators of Compromise
- Unusual template expressions containing Python introspection keywords such as __class__, __mro__, __subclasses__, or __globals__ in Superset logs
- Web application logs showing requests with Jinja2 syntax targeting os module functions like os.system, os.popen, or os.environ
- Unexpected file creation or modification in directories writable by the web application process
- New or modified environment variables in the Superset process
- Unusual process spawning from the Superset web application process
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect template injection patterns including {{, {%, __class__, __mro__, and __subclasses__
- Monitor Superset application logs for template rendering errors or exceptions related to blocked module access
- Deploy runtime application self-protection (RASP) solutions to detect and block template injection attempts
- Establish baseline behavior for the Superset process and alert on anomalous child process creation or file system access
Monitoring Recommendations
- Configure centralized logging for all Apache Superset instances with alerting on suspicious template patterns
- Implement endpoint detection and response (EDR) monitoring for unexpected command execution from the web server process
- Monitor network traffic from Superset servers for unusual outbound connections that may indicate command-and-control activity
- Set up file integrity monitoring on the Superset installation directory and web-accessible paths
How to Mitigate CVE-2020-13948
Immediate Actions Required
- Upgrade Apache Superset to version 0.37.1 or later immediately
- Audit user accounts with access to Apache Superset and remove unnecessary privileges
- Review Superset logs for any indicators of exploitation attempts
- Temporarily disable templated text field functionality if upgrade is not immediately possible
- Implement network segmentation to limit the blast radius of potential compromise
Patch Information
Apache has addressed this vulnerability in version 0.37.1 of Apache Superset. Organizations should upgrade to this version or later to fully remediate the vulnerability.
For detailed information about the security fix, refer to the Apache Superset Development Discussion on the Apache mailing list. Additional notification updates are available through the Apache Superset Notification Update 1 and Apache Superset Notification Update 2.
Workarounds
- Restrict access to Apache Superset to only trusted, vetted users until patching is complete
- Implement strict input validation at the reverse proxy or WAF level to filter template injection patterns
- Run Apache Superset in a containerized environment with minimal privileges and filesystem access
- Disable or limit access to features that utilize templated text fields where possible
- Deploy application-level controls to sandbox the Jinja2 environment and block access to dangerous Python modules
# Configuration example - Restrict Superset access at nginx reverse proxy level
# Add to nginx server block to block common template injection patterns
location / {
if ($request_body ~* "(\{\{|\{\%|__class__|__mro__|__subclasses__|__globals__|os\.system|os\.popen)") {
return 403;
}
proxy_pass http://superset_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
