DIVD-2023-00026 - Apache Superset authentication bypass leads to RCE - CVE-2023-27524
| Our reference | DIVD-2023-00026 |
| Case lead | Finn van der Knaap |
| Researcher(s) | |
| CVE(s) | |
| Product | Apache Superset |
| Versions |
|
| Recommendation | Rotate the SECRET_KEY and update to the latest version |
| Workaround | Rotate the SECRET_KEY by following this article from Apache: [Configuring the SECRET_KEY](https://superset.apache.org/docs/installation/configuring-superset) |
| Status | Open |
| Last modified | 06 Jul 2023 13:29 |
Summary
Recently, a writeup was posted for a vulnerability, tracked as CVE-2023-27524, in the open source tool Apache Superset. A default Flask SECRET_KEY is used, this key signs the cookies of user logging in. By default, this key is one of 5 standard keys, which per the software’s documentation should be changed. When an attacker knows this key, they can sign their own cookies, as a result the attacker can forge their own cookies to log in as an administrator.
What you can do
- Rotate the SECRET_KEY by following the article on Apache on their website: https://superset.apache.org/docs/installation/configuring-superset. And update to the latest version
What we are doing
- DIVD is currently identifying all the vulnerable Superset servers.
Timeline
| Date | Description |
|---|---|
| 02 Jul 2023 | Started research |
|
02 Jul 2023- 02 Jul 2023 |
publishing casefile |
gantt
title DIVD-2023-00026 - Apache Superset authentication bypass leads to RCE - CVE-2023-27524
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2023-00026 - Apache Superset authentication bypass leads to RCE - CVE-2023-27524 (still open) :2023-07-02, 2023-10-03
section Events
Started research : milestone, 2023-07-02, 0d
publishing casefile (0 days) : 2023-07-02, 2023-07-02