GHSA-5cx2-vq3h-x52c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5cx2-vq3h-x52c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-5cx2-vq3h-x52c/GHSA-5cx2-vq3h-x52c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5cx2-vq3h-x52c
- Aliases
- Published
- 2023-04-24T18:30:30Z
- Modified
- 2024-04-10T18:55:27.231758Z
- Severity
-
- 8.9 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L CVSS Calculator
- Summary
- Apache superset missing check for default SECRET_KEY
- Details
-
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRETKEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRETKEY config.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-27524
- https://github.com/apache/superset/commit/b180319bbf08e876ea84963220ebebbfd0699e03
- https://github.com/apache/superset
- https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk
- https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html
- https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html
- http://www.openwall.com/lists/oss-security/2023/04/24/2
Affected packages
PyPI / apache-superset
Package
- Name
- apache-superset
- View open source insights on deps.dev
- Purl
- pkg:pypi/apache-superset