DIVD-2023-00026 - Apache Superset authentication bypass leads to RCE - CVE-2023-27524
|Case lead||Finn van der Knaap|
|Recommendation||Rotate the SECRET_KEY and update to the latest version|
|Workaround||Rotate the SECRET_KEY by following this article from Apache: [Configuring the SECRET_KEY](https://superset.apache.org/docs/installation/configuring-superset)|
|Last modified||06 Jul 2023 13:29|
Recently, a writeup was posted for a vulnerability, tracked as CVE-2023-27524, in the open source tool Apache Superset. A default Flask SECRET_KEY is used, this key signs the cookies of user logging in. By default, this key is one of 5 standard keys, which per the software’s documentation should be changed. When an attacker knows this key, they can sign their own cookies, as a result the attacker can forge their own cookies to log in as an administrator.
What you can do
- Rotate the SECRET_KEY by following the article on Apache on their website: https://superset.apache.org/docs/installation/configuring-superset. And update to the latest version
What we are doing
- DIVD is currently identifying all the vulnerable Superset servers.
|02 Jul 2023||Started research|
02 Jul 2023-
02 Jul 2023