Apache Superset <=2.0.1 Session Validation Vulnerability via Default SECRET_KEY
CVE-2023-27524 Published on April 24, 2023

Apache Superset: Session validation vulnerability when using provided default SECRET_KEY
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.

Github Repository Vendor Advisory NVD

Known Exploited Vulnerability

This Apache Superset Insecure Default Initialization of Resource Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions.

The following remediation steps are recommended / required by January 29, 2024: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2023-27524 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. This vulnerability is known to be actively exploited by threat actors. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
LOW

Weakness Type

Insecure Default Initialization of Resource

The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.


Products Associated with CVE-2023-27524

Want to know whenever a new CVE is published for Apache Superset? stack.watch will email you.

Apache Superset
 

Affected Versions

Apache Software Foundation Apache Superset:

Vulnerable Packages

The following package name and versions may be associated with CVE-2023-27524

Package Manager Vulnerable Package Versions Fixed In
composer froxlor/froxlor <= 2.3.3 2.3.4

Exploit Probability

EPSS
84.09%
Percentile
99.29%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.