CVE-2020-13948

 

Published at: - 17-09-2020 03:15

Last modified: - 21-11-2022 02:55

Total changes: - 2

Description

While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python’s `os` package in the web application process in versions < 0.37.1. It was thus possible for an authenticated user to list and access files, environment variables, and process information. Additionally it was possible to set environment variables for the current process, create and update files in folders writable by the web process, and execute arbitrary programs accessible by the web process. All other operations available to the `os` package in Python were also available, even if not explicitly enumerated in this CVE.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 

Verification logic

 

Reference

• https://lists.apache.org/thread.html/rdeee068ac1e0c43bd5b69830240f30598df15a2ef9f7998c7b29131e%40%3Cdev.superset.apache.org%3E
• [superset-notifications] 20201112 [GitHub] [incubator-superset] ktmud commented on pull request #11617: feat: support 'chevron' library for templating as jinja alternative-Mailing List, Vendor Advisory
• [superset-notifications] 20201112 [GitHub] [incubator-superset] robdiciuccio commented on pull request #11617: feat: support 'chevron' library for templating as jinja alternative-Mailing List, Vendor Advisory

 

Keywords

NVD

 

CVE-2020-13948

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures