Apache Superset Identity Authentication Bypass Vulnerability (CVE-2023-27524)

Apr 28, 2023 GMT+08:00

I. Overview

Recently, Apache Superset has released an official security notice, disclosing an identity authentication bypass vulnerability (CVE-2023-27524) in Apache Superset 2.0.1 and earlier. Apache Superset has insecure default settings. Systems that keep the default SECRET_KEY value without changing it following the installation guide are exposed to this vulnerability. Unauthorized attackers can exploit this vulnerability to access restricted resources or run arbitrary code. Currently, the vulnerability exploitation details have been disclosed, and the risk is high.

Apache Superset is an open-source software application for data exploration and data visualization. It can process petabyte-scale data. If you are an Apache Superset user, check your system and implement timely security hardening.

References:

https://www.cve.org/CVERecord?id=CVE-2023-27524

https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Superset<= 2.0.1

Secure versions:

Apache Superset >= 2.1.0

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

https://www.apache.org/dist/superset/2.1.0

If you cannot perform the upgrade in a timely manner, you can change the default value of SECRET_KEY. For details, see the official guide.

https://superset.apache.org/docs/installation/configuring-superset/#secret_key-rotation

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.