CVE-2023-27524

2023-04-2416:15:07

CWE-1188

[email protected]

web.nvd.nist.gov

202

In Wild

cve-2023-27524

session validation

apache superset

security vulnerability

nvd

unauthorized access

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.97 High

EPSS

Percentile

99.8%

JSON

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.

All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database.
Add a strong SECRET_KEY to your superset_config.py file like:

SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY>

Alternatively you can set it with SUPERSET_SECRET_KEY environment variable.

Affected configurations

Vulners

NVD

Node

apachesupersetRange≤2.0.1

CPENameOperatorVersion
apache:supersetapache supersetle2.0.1

CPE	Name	Operator	Version
apache:superset	apache superset	le	2.0.1

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Superset",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "2.0.1",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]