CVE-2023-27524
- Reference to the description:
- Description:
- Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.
- Last updated date:
- 06/10/2024
Reports
ACTIVELY EXPLOITED
- Type:
- exploitation
- Confidence:
- HIGH
- Date of publishing:
- 01/08/2024
- Reference url to background
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 04/25/2023
- Reference url to background
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 04/27/2023
- Reference url to background
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 04/27/2023
- Reference url to background
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 04/27/2023
- Reference url to background
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 05/04/2023
- Reference url to background
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 05/04/2023
- Reference url to background
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 05/08/2023
- Reference url to background
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 09/08/2023
- Reference url to background
https://github.com/jakabakos/CVE-2023-27524-Apache-Superset-Auth-Bypass-and-RCE
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 09/12/2023
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 10/10/2023
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 01/21/2024
- Reference url to background
http://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 01/21/2024
- Reference url to background
http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 06/10/2024
- Reference url to background
https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 06/10/2024
- Reference url to background
https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html