Maintainers of the Apache Superset open source data visualization software have issued updates to address a security vulnerability, tracked as CVE-2023-27524, with a CVSS score of 8.9.
This vulnerability, which is present in versions 2.0.1 and prior, is caused by an insecure default configuration that could result in remote code execution. By exploiting the default SECRET_KEY, malicious actors could gain access to unauthorized resources on internet-exposed installations of the software.
CVE-2023-27524 Technical Overview
According to the official National Vulnerability Database description, “Session Validation attacks in Apache Superset versions up to and including 2.0.1” are possible. If the installation has followed instructions and changed the default value for the SECRET_KEY config, then the unauthorized access of resources by attackers is prevented. However, installations that have not modified the default configured SECRET_KEY may be vulnerable to this type of attack.
Naveen Sunkavally, security researcher at Horizon3.ai, characterized the issue as a perilous default setup in Apache Superset that permits an unauthorized attacker to get remote code execution, accumulate qualifications, and endanger data. It should be noted that the bug does not impact Superset situations that have changed the default value for the SECRET_KEY config to a more cryptographically reliable arbitrary string.
Further technical details are available in the original report.