CVE-2023-27524

Apache Superset Insecure Default Initialization of Resource Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database.
Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.

Apache Superset versions 2.0.0 and below utilize Flask with a known default secret key which is used to sign HTTP cookies. These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that of an administrator, and re-sign the cookie. This valid cookie can then be used to login as the targeted user. From there the Superset database is mounted, and credentials are pulled. A dashboard is then created. Lastly a pickled python payload can be set for that dashboard within Superset's database which will trigger the remote code execution. An attempt to clean up ALL of the dashboard key values and reset them to their previous values happens during the cleanup phase.

Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions.

*Credits: Naveen Sunkavally (Horizon3.ai)

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-03-02 CVE Reserved
2023-04-24 CVE Published
2023-04-27 First Exploit
2024-01-08 Exploited in Wild
2024-01-29 KEV Due Date
2025-07-30 CVE Updated
2025-08-04 EPSS Updated

CWE

CWE-1188: Initialization of a Resource with an Insecure Default

CAPEC

References (26)

URL	Tag	Source
https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html
https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html
https://www.openwall.com/lists/oss-security/2023/04/24/2
https://github.com/Paradoxis/Flask-Unsign
https://vulcan.io/blog/cve-2023-27524-in-apache-superset-what-you-need-to-know
https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution
https://github.com/horizon3ai/CVE-2023-27524/blob/main/CVE-2023-27524.py

URL	Date	SRC
https://packetstorm.news/files/id/172522	2023-05-24
https://packetstorm.news/files/id/175094	2023-10-13
https://packetstorm.news/files/id/180678	2024-08-31
https://www.exploit-db.com/exploits/51447	2023-05-23
https://github.com/horizon3ai/CVE-2023-27524	2023-09-09
https://github.com/MaanVader/CVE-2023-27524-POC	2023-05-04
https://github.com/jakabakos/CVE-2023-27524-Apache-Superset-Auth-Bypass-and-RCE	2023-09-11
https://github.com/ThatNotEasy/CVE-2023-27524	2023-07-24
https://github.com/antx-code/CVE-2023-27524	2023-04-27
https://github.com/TardC/CVE-2023-27524	2023-05-09
https://github.com/necroteddy/CVE-2023-27524	2023-08-30
https://github.com/NguyenCongHaiNam/Research-CVE-2023-27524	2023-10-30
https://github.com/Cappricio-Securities/CVE-2023-27524	2024-06-21
https://github.com/karthi-the-hacker/CVE-2023-27524	2024-05-11
https://github.com/CN016/Apache-Superset-SECRET_KEY-CVE-2023-27524-	2023-10-10
https://github.com/Okaytc/Superset_auth_bypass_check	2023-09-28
https://github.com/ZZ-SOCMAP/CVE-2023-27524	2024-09-19
https://github.com/h1n4mx0/Research-CVE-2023-27524	2023-10-30

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk	2024-04-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Superset Search vendor "Apache" for product "Superset"				<= 2.0.1 Search vendor "Apache" for product "Superset" and version " <= 2.0.1"		-		Affected