Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt

Rule Explanation

This event is generated when an authenticated user attempts to exploit a deserialization vulnerability in Apache Superset. Impact: Attempted User Privilege Gain Details: Rule checks for attempts to exploit a deserialization vulnerability in Apache Superset. Ease of Attack:

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Rule Vulnerability

CVE Additional Information

CVE-2018-8021
Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.
Details
Severity Base Score9.8
Impact Score5.9 Exploit Score3.9
Confidentiality ImpactHIGH Integrity ImpactHIGH
Availability ImpactHIGH Access Vector
Authentication Ease of Access