#VU85166 Insecure default initialization of resource in Apache Superset - CVE-2023-27524

Cybersecurity Help s.r.o.

Published: 2024-01-09 | Updated: 2024-12-19

Vulnerability identifier: #VU85166

Vulnerability risk: High

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2023-27524

CWE-ID: CWE-1188

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Apache Superset
Web applications / Other software

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to the application does not alter the default configured SECRET_KEY by itself. A remote attacker can authenticate and access unauthorized resources if the software installation was not performed according to vendor's instructions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Superset: 2.0.0 - 2.0.1

External links
https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk
https://www.openwall.com/lists/oss-security/2023/04/24/2
https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html
https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Apache Superset