CVE-2023-27524
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-27524
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-27524.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-27524
- Aliases
- Published
- 2023-04-24T16:15:07Z
- Modified
- 2024-09-02T20:55:33Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRETKEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRETKEY config.
All superset installations should always set a unique secure random SECRETKEY. Your SECRETKEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your
superset_config.pyfile like:SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY>
Alternatively you can set it with
SUPERSET_SECRET_KEYenvironment variable. - References
-
- https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk
- https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html
- https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html
- https://www.openwall.com/lists/oss-security/2023/04/24/2