CVE-2023-27524 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Apache Superset Insecure Default Initialization of Resource Vulnerability

Exploit added

January 8, 2024

Action due

January 29, 2024

Action required

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.

All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database.
Add a strong SECRET_KEY to your `superset_config.py` file like:

SECRET_KEY =

Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.

References

Weakness Enumeration

CWE-ID	CWE Name
CWE-1188	Initialization of a Resource with an Insecure Default

Known Affected Software Configurations

cpe:2.3:a:apache:superset:3.0.1:-::::::
cpe:2.3:a:apache:superset:3.0.0:rc2::::::
cpe:2.3:a:apache:superset:2.1.2:rc1::::::
cpe:2.3:a:apache:superset:3.0.1:rc2::::::
cpe:2.3:a:apache:superset:2.1.1:-::::::
cpe:2.3:a:apache:superset:3.0.0:-::::::
cpe:2.3:a:apache:superset:3.0.0:rc1::::::
cpe:2.3:a:apache:superset:2.1.1:rc2::::::
cpe:2.3:a:apache:superset:3.0.1:rc1::::::
cpe:2.3:a:apache:superset:2.1.1:rc3::::::
cpe:2.3:a:apache:superset:3.0.2:-::::::
cpe:2.3:a:apache:superset:3.0.2:rc1::::::
cpe:2.3:a:apache:superset:2.1.2:-::::::
cpe:2.3:a:apache:superset:2.1.1:rc1::::::
cpe:2.3:a:apache:superset:3.0.0:rc3::::::
cpe:2.3:a:apache:superset:3.0.2:rc2::::::
cpe:2.3:a:apache:superset:3.0.0:rc4::::::
cpe:2.3:a:apache:superset:2.1.2:rc2::::::
cpe:2.3:a:apache:superset:2.1.0:rc3::::::
cpe:2.3:a:apache:superset:2.0.1:rc1::::::
cpe:2.3:a:apache:superset:2.0.1:rc3::::::
cpe:2.3:a:apache:superset:2.0.1:rc6::::::
cpe:2.3:a:apache:superset:2.1.0:rc2::::::
cpe:2.3:a:apache:superset:2.0.1:rc4::::::
cpe:2.3:a:apache:superset:2.0.1:rc2::::::
cpe:2.3:a:apache:superset:2.1.0:-::::::
cpe:2.3:a:apache:superset:2.1.0:rc1::::::
cpe:2.3:a:apache:superset:2.0.1:rc5::::::
cpe:2.3:a:apache:superset:0.32:::::::*
cpe:2.3:a:apache:superset:0.24.0:::::::*
cpe:2.3:a:apache:superset:0.22.0:::::::*
cpe:2.3:a:apache:superset:0.34.1:::::::*
cpe:2.3:a:apache:superset:0.21.0:::::::*
cpe:2.3:a:apache:superset:0.25.0:::::::*
cpe:2.3:a:apache:superset:0.35.0:::::::*
cpe:2.3:a:apache:superset:0.35.1:::::::*
cpe:2.3:a:apache:superset:0.27.0:::::::*
cpe:2.3:a:apache:superset:0.31:::::::*
cpe:2.3:a:apache:superset:0.28.0:::::::*
cpe:2.3:a:apache:superset:0.23.0:::::::*
cpe:2.3:a:apache:superset:0.26.0:::::::*
cpe:2.3:a:apache:superset:0.34.0:::::::*
cpe:2.3:a:apache:superset:2.0.1:::::::*
cpe:2.3:a:apache:superset:2.0.0:-::::::
cpe:2.3:a:apache:superset:2.0.0:rc2::::::
cpe:2.3:a:apache:superset:2.0.0:rc1::::::
cpe:2.3:a:apache:superset:1.5.0:rc4::::::
cpe:2.3:a:apache:superset:1.5.1:-::::::
cpe:2.3:a:apache:superset:1.5.1:rc1::::::
cpe:2.3:a:apache:superset:1.5.0:rc2::::::
cpe:2.3:a:apache:superset:1.5.0:rc1::::::
cpe:2.3:a:apache:superset:1.5.0:rc3::::::
cpe:2.3:a:apache:superset:1.4.2:rc1::::::
cpe:2.3:a:apache:superset:1.4.2:-::::::
cpe:2.3:a:apache:superset:1.4.1:rc1::::::
cpe:2.3:a:apache:superset:1.4.1:-::::::
cpe:2.3:a:apache:superset:1.4.0:rc1::::::
cpe:2.3:a:apache:superset:1.4.0:rc2::::::
cpe:2.3:a:apache:superset:1.4.0:rc3::::::
cpe:2.3:a:apache:superset:1.4.0:rc4::::::
cpe:2.3:a:apache:superset:1.4.0:-::::::
cpe:2.3:a:apache:superset:1.3.2:-::::::
cpe:2.3:a:apache:superset:1.3.2:rc1::::::
cpe:2.3:a:apache:superset:1.3.1:-::::::
cpe:2.3:a:apache:superset:1.3.1:rc1::::::
cpe:2.3:a:apache:superset:1.3.1:rc2::::::
cpe:2.3:a:apache:superset:1.3.0:rc2::::::
cpe:2.3:a:apache:superset:1.3.0:rc1::::::
cpe:2.3:a:apache:superset:1.3.0:-::::::
cpe:2.3:a:apache:superset:1.2.0:rc1::::::
cpe:2.3:a:apache:superset:1.2.0:-::::::
cpe:2.3:a:apache:superset:1.2.0:rc2::::::
cpe:2.3:a:apache:superset:1.1.0:rc1::::::
cpe:2.3:a:apache:superset:1.1.0:-::::::
cpe:2.3:a:apache:superset:1.1.0:rc2::::::
cpe:2.3:a:apache:superset:1.0.1:rc2::::::
cpe:2.3:a:apache:superset:1.0.1:rc1::::::
cpe:2.3:a:apache:superset:1.0.1:-::::::
cpe:2.3:a:apache:superset:1.0.0:-::::::
cpe:2.3:a:apache:superset:1.0.0:rc4::::::
cpe:2.3:a:apache:superset:1.0.0:rc2::::::
cpe:2.3:a:apache:superset:1.0.0:rc3::::::
cpe:2.3:a:apache:superset:1.0.0:rc1::::::
cpe:2.3:a:apache:superset:0.38.0:-::::::
cpe:2.3:a:apache:superset:0.38.0:rc4::::::
cpe:2.3:a:apache:superset:0.38.0:rc2::::::
cpe:2.3:a:apache:superset:0.38.0:rc3::::::
cpe:2.3:a:apache:superset:0.38.0:rc1::::::
cpe:2.3:a:apache:superset:0.38.1:rc1::::::
cpe:2.3:a:apache:superset:0.38.1:-::::::
cpe:2.3:a:apache:superset:0.37.2:rc2::::::
cpe:2.3:a:apache:superset:0.37.2:-::::::
cpe:2.3:a:apache:superset:0.37.2:rc1::::::
cpe:2.3:a:apache:superset:0.37.1:rc1::::::
cpe:2.3:a:apache:superset:0.37.1:-::::::
cpe:2.3:a:apache:superset:0.37.0:rc4::::::
cpe:2.3:a:apache:superset:0.37.0:rc3::::::
cpe:2.3:a:apache:superset:0.37.0:rc2::::::
cpe:2.3:a:apache:superset:0.37.0:rc1::::::
cpe:2.3:a:apache:superset:0.37.0:-::::::

Details

Source:
NVD

Published:
April 24, 2023

Updated:
June 10, 2024

Risk information

CVSS v3

Base score:
9.8

Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

Not defined