BIT-superset-2023-27524

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/superset/BIT-superset-2023-27524.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-superset-2023-27524
Aliases
Published
2025-02-05T07:28:32.393Z
Modified
2025-05-20T10:02:07.006Z
Summary
Apache Superset: Session validation vulnerability when using provided default SECRET_KEY
Details

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRETKEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRETKEY config.

All superset installations should always set a unique secure random SECRETKEY. Your SECRETKEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your superset_config.py file like:

SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY>

Alternatively you can set it with SUPERSET_SECRET_KEY environment variable.

Database specific
{
    "severity": "Critical",
    "cpes": [
        "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*"
    ]
}
References

Affected packages

Bitnami / superset

Package

Name
superset
Purl
pkg:bitnami/superset

Severity

  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.2