Vulnerability Details : CVE-2023-27524

Public exploit exists!
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.
Published 2023-04-24 16:15:08
Updated 2024-06-10 16:22:22
Source Apache Software Foundation
View at NVD,   CVE.org

Products affected by CVE-2023-27524

CVE-2023-27524 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:
Apache Superset Insecure Default Initialization of Resource Vulnerability
CISA required action:
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CISA description:
Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions.
Notes:
https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk; https://nvd.nist.gov/vuln/detail/CVE-2023-27524
Added on 2024-01-08 Action due date 2024-01-29

Exploit prediction scoring system (EPSS) score for CVE-2023-27524

EPSS FAQ
97.23%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2023-27524

  • Apache Superset Signed Cookie Priv Esc
    Disclosure Date: 2023-04-25
    First seen: 2023-10-08
    auxiliary/gather/apache_superset_cookie_sig_priv_esc
    Apache Superset versions <= 2.0.0 utilize Flask with a known default secret key which is used to sign HTTP cookies. These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that of an administrator,
  • Apache Superset Signed Cookie RCE
    Disclosure Date: 2023-09-06
    First seen: 2023-10-15
    exploit/linux/http/apache_superset_cookie_sig_rce
    Apache Superset versions <= 2.0.0 utilize Flask with a known default secret key which is used to sign HTTP cookies. These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that of an administrator,

CVSS scores for CVE-2023-27524

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
9.8
 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
 NIST
8.9
 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
2.2
6.0
 Apache Software Foundation

CWE ids for CVE-2023-27524

References for CVE-2023-27524

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!
Accept Close