Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2023-37941

CVE-2023-37941: Apache Superset RCE Vulnerability

CVE-2023-37941 is a remote code execution flaw in Apache Superset allowing attackers with database write access to execute arbitrary code. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2023-37941 Overview

CVE-2023-37941 is an insecure deserialization vulnerability in Apache Superset that allows attackers with write access to the Superset metadata database to persist malicious Python objects, potentially leading to remote code execution on the web backend. The vulnerability affects Apache Superset versions 1.5.0 through 2.1.0 and is classified as CWE-502 (Deserialization of Untrusted Data).

The Superset metadata database is an internal component typically only accessible by system administrators and the Superset process itself. While gaining direct access to this database requires significant privileges, successful exploitation enables attackers to achieve remote code execution with the permissions of the Superset web application.

Critical Impact

Attackers with metadata database access can execute arbitrary Python code on the Superset web backend, potentially compromising the entire data visualization infrastructure and connected data sources.

Affected Products

  • Apache Superset versions 1.5.0 through 2.1.0
  • Apache Superset deployments with exposed metadata database access
  • Environments with insufficiently secured PostgreSQL/MySQL metadata stores

Discovery Timeline

  • 2023-09-06 - CVE-2023-37941 published to NVD
  • 2025-02-13 - Last updated in NVD database

Technical Details for CVE-2023-37941

Vulnerability Analysis

This vulnerability stems from insecure deserialization of Python objects stored within the Apache Superset metadata database. When Superset deserializes stored objects from its metadata database, it fails to properly validate or sanitize the serialized data before processing. An attacker who has obtained write access to the metadata database can craft a malicious serialized Python object that, when deserialized by the Superset application, executes arbitrary code.

The attack requires the attacker to first gain write access to the metadata database—typically a PostgreSQL or MySQL instance—which stores Superset's configuration, dashboard definitions, and other application state. While this prerequisite limits the attack surface, database credentials may be obtained through configuration file exposure, credential stuffing, or compromised administrator accounts.

Root Cause

The root cause is the use of insecure deserialization practices when handling Python objects stored in the metadata database. Python's pickle module or similar serialization mechanisms can deserialize arbitrary objects, including those with malicious __reduce__ methods that execute code during the unpickling process. Apache Superset versions prior to 2.1.1 did not implement sufficient safeguards against deserializing untrusted objects from the database layer.

Attack Vector

The attack is network-based but requires high privileges (database write access) to execute. The exploitation flow involves:

  1. Attacker gains write access to the Superset metadata database through credential theft, SQL injection in another component, or insider access
  2. Attacker crafts a malicious serialized Python object designed to execute code upon deserialization
  3. The malicious payload is inserted into a database field that Superset will later deserialize
  4. When Superset retrieves and deserializes the stored object, the malicious code executes with the privileges of the Superset web application process

The vulnerability can be exploited to establish reverse shells, exfiltrate data from connected data sources, pivot to other internal systems, or achieve persistent access to the Superset infrastructure. Technical details and proof-of-concept information are available in the Packet Storm exploit report.

Detection Methods for CVE-2023-37941

Indicators of Compromise

  • Unexpected or malformed serialized data entries in Superset metadata database tables
  • Unusual process spawning from the Superset web application (e.g., shells, network utilities)
  • Anomalous database queries writing binary or base64-encoded data to metadata tables
  • Outbound network connections from Superset servers to unexpected destinations

Detection Strategies

  • Monitor metadata database access logs for unauthorized write operations or connections from unexpected sources
  • Implement file integrity monitoring on Superset configuration files and database connection strings
  • Deploy application-level logging to track deserialization operations and object instantiation
  • Use network intrusion detection to identify reverse shell traffic or command-and-control communications from Superset hosts

Monitoring Recommendations

  • Enable audit logging on the metadata database (PostgreSQL log_statement or MySQL general_log)
  • Implement alerting for database schema modifications or bulk data insertions to metadata tables
  • Monitor Superset application logs for Python exceptions related to deserialization or pickle operations
  • Correlate database access events with Superset authentication logs to identify unauthorized access patterns

How to Mitigate CVE-2023-37941

Immediate Actions Required

  • Upgrade Apache Superset to version 2.1.1 or later immediately
  • Audit metadata database access credentials and rotate any potentially compromised passwords
  • Review database access logs for suspicious write operations to Superset metadata tables
  • Restrict network access to the metadata database to only the Superset application server

Patch Information

Apache has released version 2.1.1 to address this vulnerability. Users should upgrade to version 2.1.1 or later as recommended in the Apache Security Advisory. The patch implements proper validation and sanitization of serialized objects before deserialization, preventing arbitrary code execution through malicious payloads.

Workarounds

  • Implement strict network segmentation to prevent unauthorized access to the metadata database
  • Use database firewall rules to restrict write operations to metadata tables from authorized sources only
  • Deploy additional authentication layers (mutual TLS, VPN) for database access
  • Consider implementing database activity monitoring solutions to detect and block suspicious serialized data writes
bash
# Example: Restrict PostgreSQL metadata database access to Superset application server only
# postgresql.conf
listen_addresses = 'localhost'

# pg_hba.conf - Allow only specific IP for Superset application
host    superset_db    superset_user    10.0.1.100/32    scram-sha-256
host    superset_db    all              0.0.0.0/0        reject

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne