NVD Vulnerability Detail

CVE-2020-13948

Summary	While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python’s `os` package in the web application process in versions < 0.37.1. It was thus possible for an authenticated user to list and access files, environment variables, and process information. Additionally it was possible to set environment variables for the current process, create and update files in folders writable by the web process, and execute arbitrary programs accessible by the web process. All other operations available to the `os` package in Python were also available, even if not explicitly enumerated in this CVE.
Publication Date	Sept. 17, 2020, 10:15 p.m.
Registration Date	Jan. 26, 2021, 11:52 a.m.
Last Update	Nov. 21, 2024, 2:02 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:apache:superset::::::::					0.37.1

Related information, measures and tools

No	URL	タグ
1	https://lists.apache.org/thread.html/r0e35c7c5672a6146b962840be5c1a7b7461c05a71cd7ecc62774d155%40%3Cnotifications.superset.apache.org%3E
2	https://lists.apache.org/thread.html/r4fc7115f6e63ac255c48fc68c0da592df55fe4be47cae6378d39ac22%40%3Cnotifications.superset.apache.org%3E
3	https://lists.apache.org/thread.html/rdeee068ac1e0c43bd5b69830240f30598df15a2ef9f7998c7b29131e%40%3Cdev.superset.apache.org%3E	Mailing List Vendor Advisory
4	https://lists.apache.org/thread.html/r0e35c7c5672a6146b962840be5c1a7b7461c05a71cd7ecc62774d155%40%3Cnotifications.superset.apache.org%3E
5	https://lists.apache.org/thread.html/rdeee068ac1e0c43bd5b69830240f30598df15a2ef9f7998c7b29131e%40%3Cdev.superset.apache.org%3E	Mailing List Vendor Advisory
6	https://lists.apache.org/thread.html/r4fc7115f6e63ac255c48fc68c0da592df55fe4be47cae6378d39ac22%40%3Cnotifications.superset.apache.org%3E

Common Vulnerabilities List

JVN Vulnerability Information

Apache Superset における脆弱性

Title	Apache Superset における脆弱性
Summary	Apache Superset には、不特定の脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Sept. 15, 2020, midnight
Registration Date	April 1, 2021, 2:59 p.m.
Last Update	April 1, 2021, 2:59 p.m.

Affected System

Apache Software Foundation

Apache Superset 0.37.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-13948	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13948
National Vulnerability Database (NVD)
2	CVE-2020-13948	https://nvd.nist.gov/vuln/detail/CVE-2020-13948

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-noinfo	https://www.ipa.go.jp/security/vuln/CWE.html#CWEnoinfo

ベンダー情報

No	Name	URL
Pony Mail
1	[CVE-2020-13948] Apache Superset Remote Code Execution Vulnerability	https://lists.apache.org/thread.html/rdeee068ac1e0c43bd5b69830240f30598df15a2ef9f7998c7b29131e%40%3Cdev.superset.apache.org%3E
2	[GitHub] [incubator-superset] ktmud commented on pull request #11617: feat: support 'chevron' library for templating as jinja alternative	https://lists.apache.org/thread.html/r0e35c7c5672a6146b962840be5c1a7b7461c05a71cd7ecc62774d155@%3Cnotifications.superset.apache.org%3E
3	[GitHub] [incubator-superset] robdiciuccio commented on pull request #11617: feat: support 'chevron' library for templating as jinja alternative	https://lists.apache.org/thread.html/r4fc7115f6e63ac255c48fc68c0da592df55fe4be47cae6378d39ac22@%3Cnotifications.superset.apache.org%3E

Change Log

No	Changed Details	Date of change
1	[2021年04月01日] 掲載	April 1, 2021, 2:59 p.m.