====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN517
_____________________________________________________________________

DATE                : 16/09/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Superset versions prior to
                                         0.37.1.

=====================================================================
http://mail-archives.apache.org/mod_mbox/superset-dev/202009.mbox/%3c79345658-d39a-468e-b9cc-b63f55731fd7@Spark%3e
_____________________________________________________________________

Affected Versions: Apache Superset < 0.37.1

While investigating a bug report on Apache Superset, it was determined
that an authenticated user could craft requests
via a number of templated text fields in the product that would allow
arbitrary access to Python’s `os` package in the
web application process. It was thus possible for an authenticated user
to list and access files, environment
variables, and process information. Additionally it was possible to set
environment variables for the current process,
create and update files in folders writable by the web process, and
execute arbitrary programs accessible by the web
process. All other operations available to the `os` package in Python
were also available, even if not explicitly
enumerated in this CVE.

Will Barrett
Staff Software Engineer
Preset, Inc. | https://preset.io


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================