DIVD-2023-00026 - Apache Superset authentication bypass leads to RCE - CVE-2023-27524

Our reference DIVD-2023-00026
Case lead Finn van der Knaap
Researcher(s)
CVE(s)
Product Apache Superset
Versions
  • <=2.0.1
Recommendation Rotate the SECRET_KEY and update to the latest version
Workaround Rotate the SECRET_KEY by following this article from Apache: [Configuring the SECRET_KEY](https://superset.apache.org/docs/installation/configuring-superset)
Status Closed
Last modified 06 May 2024 11:23 CEST

Summary

Recently, a writeup was posted for a vulnerability, tracked as CVE-2023-27524, in the open source tool Apache Superset. A default Flask SECRET_KEY is used, this key signs the cookies of user logging in. By default, this key is one of 5 standard keys, which per the software’s documentation should be changed. When an attacker knows this key, they can sign their own cookies, as a result the attacker can forge their own cookies to log in as an administrator.

What you can do

What we are doing

Timeline

Date Description
02 Jul 2023 Started research
02 Jul 2023-
02 Jul 2023		 publishing casefile
06 Jul 2023-
06 Jul 2023		 Started scanning for vulnerable instances
07 Jul 2023 Mails sent
07 Jul 2023 Case closed
gantt title DIVD-2023-00026 - Apache Superset authentication bypass leads to RCE - CVE-2023-27524 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00026 - Apache Superset authentication bypass leads to RCE - CVE-2023-27524 (5 days) :2023-07-02, 2023-07-07 section Events Started research : milestone, 2023-07-02, 0d publishing casefile (0 days) : 2023-07-02, 2023-07-02 Started scanning for vulnerable instances (0 days) : 2023-07-06, 2023-07-06 Mails sent : milestone, 2023-07-07, 0d Case closed : milestone, 2023-07-07, 0d

More information