SCA: security update for apache-superset (GHSA-cj7g-h7rf-h8j9)

high Tenable Self-Hosted Container Security Plugin ID 421801

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- While investigating a bug report on Apache Superset, it was determined that an authenticated user could
craft requests via a number of templated text fields in the product that would allow arbitrary access to
Python’s `os` package in the web application process in versions < 0.37.1. It was thus possible for an
authenticated user to list and access files, environment variables, and process information. Additionally
it was possible to set environment variables for the current process, create and update files in folders
writable by the web process, and execute arbitrary programs accessible by the web process. All other
operations available to the `os` package in Python were also available, even if not explicitly enumerated
in this CVE. (CVE-2020-13948)

Solution

Update the apache-superset library and its related packages to version 0.37.1 or later.

See Also

https://github.com/advisories/GHSA-cj7g-h7rf-h8j9

Plugin Details

Severity: High

ID: 421801

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 3/28/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2020-13948

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/24/2022

Vulnerability Publication Date: 9/17/2020

Reference Information

CVE: CVE-2020-13948

cwe: CWE-78