← back
CVE-2023-27524

Apache Superset: Session validation vulnerability when using provided default SECRET_KEY

CVSS 8.9 HIGHEPSS 97.4%● KEVCWE-1188
In short

Apache Superset versions up to 2.0.1 allow attackers to forge valid session cookies if the default SECRET_KEY is not changed, enabling unauthorized access to the application. This only affects installations that haven't customized the SECRET_KEY as instructed during setup.

Technical detail

Session validation vulnerability exploitable through forged session cookies when the default SECRET_KEY remains unchanged in Apache Superset ≤2.0.1. An unauthenticated attacker can craft valid session tokens to impersonate users and access unauthorized resources, provided the installation did not alter the default SECRET_KEY configuration. The vulnerability is mitigated by setting a unique, randomly-generated SECRET_KEY in superset_config.py or via the SUPERSET_SECRET_KEY environment variable.

Summary generated and translated by AI from the official description.
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
Affected products
Apache Software Foundation · Apache Superset
public PoCs found17
githubgithub.com/horizon3ai/CVE-2023-27524112githubgithub.com/jakabakos/CVE-2023-27524-Apache-Superset-Auth-Bypass-and-RCE28githubgithub.com/Okaytc/Superset_auth_bypass_check11githubgithub.com/tardc/CVE-2023-2752411githubgithub.com/Ap0dexMe0/CVE-2023-275243githubgithub.com/ZZ-SOCMAP/CVE-2023-275243githubgithub.com/Cappricio-Securities/CVE-2023-275242githubgithub.com/karthi-the-hacker/CVE-2023-275241githubgithub.com/necroteddy/CVE-2023-275240githubgithub.com/rachidafaf/bola-CVE-2023-275240githubgithub.com/MaanVader/CVE-2023-27524-POC0githubgithub.com/h1n4mx0/Research-CVE-2023-275240githubgithub.com/sumaiyafathima-code/CVE-2023-275240githubgithub.com/CN016/Apache-Superset-SECRET_KEY-CVE-2023-27524-0exploitdbwww.exploit-db.com/exploits/51447unverifiedcve_referencepacketstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xykhttps://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.htmlhttps://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27524https://www.openwall.com/lists/oss-security/2023/04/24/2