GHSA-5cx2-vq3h-x52c

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-5cx2-vq3h-x52c/GHSA-5cx2-vq3h-x52c.json

Aliases

CVE-2023-27524

Published

2023-04-24T18:30:30Z

Modified

2023-05-24T18:45:47.611394Z

Details

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRETKEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRETKEY config.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-27524
https://github.com/apache/superset/commit/b180319bbf08e876ea84963220ebebbfd0699e03
https://github.com/apache/superset
https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk
http://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html
http://www.openwall.com/lists/oss-security/2023/04/24/2

Affected packages

PyPI / apache-superset

apache-superset

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0

Fixed

2.1.0

Affected versions

0.*

0.34.0

0.34.1

0.35.1

0.35.2

0.36.0

0.37.0

0.37.1

0.37.2

0.38.0

0.38.1

1.*

1.0.0

1.0.1

1.1.0

1.2.0

1.3.0

1.3.1

1.3.2

1.4.0

1.4.1

1.4.2

1.5.0

1.5.1

1.5.2

1.5.3

2.*

2.0.0

2.0.1

2.1.0rc3