Service Notices

All Notices > Security Notices > Apache Superset Remote Code Execution Vulnerability (CVE-2020-13948)

Apache Superset Remote Code Execution Vulnerability (CVE-2020-13948)

Sep 27, 2020 GMT+08:00

I. Overview

Apache has recently released a security notice that disclosed a code execution vulnerability (CVE-2020-13948) in Apache Superset. An authenticated user can craft requests that would allow remote code execution.

If you are an Apache Superset user, check your versions and implement timely security hardening.

For more information about this vulnerability, visit the following website:

https://lists.apache.org/thread.html/rdeee068ac1e0c43bd5b69830240f30598df15a2ef9f7998c7b29131e%40%3Cdev.superset.apache.org%3E

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Apache Superset versions earlier than 0.37.1

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official releases. If your version falls into the affected range, upgrade it to a secure version.

Upgrade reference:

https://github.com/apache/incubator-superset/releases

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.