Cyber Resilience

CVE-2023-27524

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 24 April 2023

Published
24 April 2023
Modified
26 February 2026
KEV Added
08 January 2024
Patch
CVSS Score v3.1 8.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.8403 99.3th percentile
Risk Priority 88 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-27524 is a high-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Apache Superset. Its CVSS base score is 8.9 (High).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2023-27524 is a session validation vulnerability affecting Apache Superset versions up to and including 2.0.1. It arises when installations retain the default SECRET_KEY configuration value, which is used to sign session cookies and encrypt sensitive database information, allowing unauthorized authentication to protected resources. The issue is tracked under CWE-1188 and carries a CVSS 3.1 score of 8.9.

An unauthenticated remote attacker can exploit the flaw over the network by leveraging the unchanged default key to forge valid sessions, thereby gaining access to data and functionality that should be restricted. The attack requires no user interaction and can lead to high-impact confidentiality, integrity, and limited availability consequences, though it does not affect deployments where administrators have already replaced the default SECRET_KEY.

Apache advisories instruct all Superset installations to configure a unique, randomly generated SECRET_KEY in the superset_config.py file or via the SUPERSET_SECRET_KEY environment variable, emphasizing that this step must be performed according to installation guidance.

The associated EPSS score reached a peak of 0.9729, indicating that exploitation interest emerged after disclosure and that the vulnerability warrants renewed attention.

EU & UK References

Vulnerability details

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset…

more

administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.

CWE(s)
KEV Date Added
08 January 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
superset
≤ 2.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires proper establishment and management of cryptographic keys such as the SECRET_KEY used to sign Superset session cookies, directly preventing use of the known default value.

prevent

Mandates protection of session authenticity through secure mechanisms, which fails when the default SECRET_KEY allows predictable cookie signing and session forgery.

prevent

Requires secure management of authenticators and their underlying secrets, addressing the need to replace the default SECRET_KEY that enables unauthorized session authentication.

References