Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRETKEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRETKEY config.
All superset installations should always set a unique secure random SECRETKEY. Your SECRETKEY is used to securely sign all session cookies and encrypting sensitive information on the database.
Add a strong SECRET_KEY to your superset_config.py
file like:
SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY>
Alternatively you can set it with SUPERSET_SECRET_KEY
environment variable.
{ "severity": "Critical", "cpes": [ "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*" ] }