BIT-superset-2023-27524
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/superset/BIT-superset-2023-27524.json
- JSON Data
- https://api.osv.dev/v1/vulns/BIT-superset-2023-27524
- Aliases
- Published
- 2025-02-05T07:28:32.393Z
- Modified
- 2025-05-20T10:02:07.006Z
- Summary
- Apache Superset: Session validation vulnerability when using provided default SECRET_KEY
- Details
-
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRETKEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRETKEY config.
All superset installations should always set a unique secure random SECRETKEY. Your SECRETKEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your
superset_config.pyfile like:SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY>
Alternatively you can set it with
SUPERSET_SECRET_KEYenvironment variable. - Database specific
{ "severity": "Critical", "cpes": [ "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*" ] }- References
-
- https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk
- https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html
- https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html
- https://www.openwall.com/lists/oss-security/2023/04/24/2
- https://nvd.nist.gov/vuln/detail/CVE-2023-27524
Affected packages
Bitnami / superset
Package
- Name
- superset
- Purl
- pkg:bitnami/superset
Severity
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator