Skip to the content.

DIVD-2023-00026 - Apache Superset authentication bypass leads to RCE - CVE-2023-27524

Our reference DIVD-2023-00026
Case lead Finn van der Knaap
Researcher(s)
CVE(s)
Product Apache Superset
Versions
  • <=2.0.1
Recommendation Rotate the SECRET_KEY and update to the latest version
Workaround Rotate the SECRET_KEY by following this article from Apache: [Configuring the SECRET_KEY](https://superset.apache.org/docs/installation/configuring-superset)
Status Open
Last modified 06 Jul 2023 13:29

Summary

Recently, a writeup was posted for a vulnerability, tracked as CVE-2023-27524, in the open source tool Apache Superset. A default Flask SECRET_KEY is used, this key signs the cookies of user logging in. By default, this key is one of 5 standard keys, which per the software’s documentation should be changed. When an attacker knows this key, they can sign their own cookies, as a result the attacker can forge their own cookies to log in as an administrator.

What you can do

What we are doing

Timeline

Date Description
02 Jul 2023 Started research
02 Jul 2023-
02 Jul 2023
publishing casefile
gantt title DIVD-2023-00026 - Apache Superset authentication bypass leads to RCE - CVE-2023-27524 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00026 - Apache Superset authentication bypass leads to RCE - CVE-2023-27524 (still open) :2023-07-02, 2023-12-13 section Events Started research : milestone, 2023-07-02, 0d publishing casefile (0 days) : 2023-07-02, 2023-07-02

More information