CVE-2023-27524

Warning

Exploit

EPSS 82.33%
Published 24.04.2023 16:15:07
Last modified 06.03.2025 19:48:51
Source security@apache.org
Teams watchlist Login
Open Login

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.

All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database.
Add a strong SECRET_KEY to your `superset_config.py` file like:

SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY>

Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.

Affected products Warnungen 1 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Superset Version <= 2.0.1

08.01.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache Superset Insecure Default Initialization of Resource Vulnerability

Vulnerability

Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions.

Description

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	82.33%	0.992

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security@apache.org	8.9	2.2	6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

CWE-1188 Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk

Vendor Advisory

Mailing List

https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html

Third Party Advisory

Exploit

VDB Entry

https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

https://www.openwall.com/lists/oss-security/2023/04/24/2

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2023-27524

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-27524

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-27524

EUVD