GHSA-5cx2-vq3h-x52c

Suggest an improvement
Source
https://github.com/advisories/GHSA-5cx2-vq3h-x52c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-5cx2-vq3h-x52c/GHSA-5cx2-vq3h-x52c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5cx2-vq3h-x52c
Aliases
Published
2023-04-24T18:30:30Z
Modified
2024-04-10T18:55:27.231758Z
Severity
  • CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
Summary
Apache superset missing check for default SECRET_KEY
Details

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRETKEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRETKEY config.

References

Affected packages

PyPI / apache-superset

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
2.1.0

Affected versions

0.*

0.34.0
0.34.1
0.35.1
0.35.2
0.36.0
0.37.0
0.37.1
0.37.2
0.38.0
0.38.1

1.*

1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.5.3

2.*

2.0.0
2.0.1