CVE-2023-27524
HIGH8.9⚠ KEVEPSS 84.0%Apache superset missing check for default SECRET_KEY
發布日:2023/4/24修改日:2025/10/22加入 CISA KEV 日:2024/1/8
描述
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.
受影響套件(2)
- Bitnami/supersetfrom 0, < 2.0.2
- PyPI/apache-supersetfrom 0, < 2.1.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-27524
- PATCHhttps://github.com/apache/superset
- WEBhttps://github.com/apache/superset/commit/b180319bbf08e876ea84963220ebebbfd0699e03
- WEBhttps://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk
- WEBhttps://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html
- WEBhttps://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html
- WEBhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27524
- WEBhttps://www.openwall.com/lists/oss-security/2023/04/24/2
- WEBhttp://www.openwall.com/lists/oss-security/2023/04/24/2