Apache Superset Vulnerability Exposes Servers to RCE Attacks - 20230501001¶
Overview¶
A default confirguration in Apache Superset allows it to be vulnerable to authentication bypass and remote code execution. According to Horizon3, Apache Superset used a default Flask Secret Key to sign authentication session cookies. Attackers can use this default key to forge session cookies that allow them to log in with administrator privileges to servers that did not change the key.
What is the vulnerability?¶
CVE-2023-27524 - CVSS v3 Base Score: 8.9
What is vulnerable?¶
Installations prior to version 2.1.0 that have not altered the default configured SECRET_KEY according to installation instructions.
What has been observed?¶
There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
Recommendation¶
The WA SOC recommends administrators apply the configuration changes as per vendor instructions to all affected devices: Configuring Superset