vin01 commented on PR #23888: URL: https://github.com/apache/superset/pull/23888#issuecomment-1712192516
It makes me sad that people are getting CVEs for stuff like this and even trying to fly it as a "RCE". 😞 - https://www.horizon3.ai/apache-superset-part-ii-rce-credential-harvesting-and-more/ > An attacker with write access to the metadata database can insert an arbitrary pickle payload into the store, and then trigger deserialization of it, leading to remote code execution. With write access to the metadata database, I don't think any further steps are needed to compromise anything here. Such CVEs should be outright rejected. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
