CVE-2018-8021: Deserialization of Untrusted Data in superset
9.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.98971%
CWE
Published
11/9/2018
Updated
10/28/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
superset | pip | < 0.23 | 0.23 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from using Python's unsafe pickle module for serialization/deserialization:
- export_dashboards in models/core.py used pickle.dumps() to serialize dashboards, creating attack vectors in exported files
- import_dashboards in views/core.py used pickle.load() on user-controlled input, enabling RCE via malicious pickle payloads
- The patch replaced pickle with JSON serialization and introduced a safe decoder, confirming these were the vulnerable points
- CVE description explicitly mentions unsafe load method from pickle library
- Exploit PoC demonstrates weaponized pickle payloads being uploaded through the dashboard import functionality