Apache Superset Patches Vulnerability Caused by Insecure Default Configuration Exposes Servers to RCE
April 27, 2023
Apache Superset Patches Vulnerability Caused by Insecure Default Configuration Exposes Servers to RCE
Apache Superset, which is an open source data visualization and exploration tool software, has been found vulnerable to authentication bypass and remote code execution due to usage of its default configurations.
This allows attackers to potentially access and modify data, harvest credentials, and execute commands.
The vulnerability is caused by the use of a default Flask secret key to sign authentication session cookies, which makes servers publicly accessible. Attackers can exploit this by forging session cookies, allowing them to log in with administrator privileges on servers that have not changed the default key.
It is important to note the vulnerability does not affect Superset administrators who have changed the default value for SECRET_KEY config.
The Vulnerability
- CVE-2023-27524 (CVSS score: 8.9, High).
Affected Product
- Apache Superset all versions up to and including 2.0.1 used the default configuration of Flask secret key.
Mitigation
CYREBRO recommends updating Apache Superset to version 2.1.
Moreover, as the updated version is not foolproof we recommend to preform a check on Apache Superset using the script determine if your instance is vulnerable to the attack. If so, follow Apache`s best Practice.
References: Horizon3.ai Advisory.