CVE-2023-27524

Warnung

Exploit

EPSS 82.33%
Veröffentlicht 24.04.2023 16:15:07
Zuletzt bearbeitet 06.03.2025 19:48:51
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.

All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database.
Add a strong SECRET_KEY to your `superset_config.py` file like:

SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY>

Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Superset Version <= 2.0.1

08.01.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache Superset Insecure Default Initialization of Resource Vulnerability

Schwachstelle

Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	82.33%	0.992

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security@apache.org	8.9	2.2	6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

CWE-1188 Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk

Vendor Advisory

Mailing List

https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html

Third Party Advisory

Exploit

VDB Entry

https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

https://www.openwall.com/lists/oss-security/2023/04/24/2

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2023-27524

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-27524

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-27524

EUVD