An open-source data visualization and exploration platform called Apache Superset was developed in Python and is based on the Flask web framework. Version 2.1.1 fixed two flaws that might be used to hijack Superset’s metadata database, identified as CVE-2023-39265 and CVE-2023-37941, respectively.
The researchers from Horizon3 drew attention to the fact that Superset was built to let privileged users connect to any database and run any SQL query through the SQLLab interface. An attacker can directly read or write application configuration through the interface by tricking Superset into connecting to its own metadata database. This could result in credential harvesting and remote code execution.