CVE-2023-27524
Published: 24 April 2023
Summary
CVE-2023-27524 is a high-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Apache Superset. Its CVSS base score is 8.9 (High).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-23 (Session Authenticity).
Deeper analysis
CVE-2023-27524 is a session validation vulnerability affecting Apache Superset versions up to and including 2.0.1. It arises when installations retain the default SECRET_KEY configuration value, which is used to sign session cookies and encrypt sensitive database information, allowing unauthorized authentication to protected resources. The issue is tracked under CWE-1188 and carries a CVSS 3.1 score of 8.9.
An unauthenticated remote attacker can exploit the flaw over the network by leveraging the unchanged default key to forge valid sessions, thereby gaining access to data and functionality that should be restricted. The attack requires no user interaction and can lead to high-impact confidentiality, integrity, and limited availability consequences, though it does not affect deployments where administrators have already replaced the default SECRET_KEY.
Apache advisories instruct all Superset installations to configure a unique, randomly generated SECRET_KEY in the superset_config.py file or via the SUPERSET_SECRET_KEY environment variable, emphasizing that this step must be performed according to installation guidance.
The associated EPSS score reached a peak of 0.9729, indicating that exploitation interest emerged after disclosure and that the vulnerability warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1207
Vulnerability details
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset…
more
administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.
- CWE(s)
- KEV Date Added
- 08 January 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires proper establishment and management of cryptographic keys such as the SECRET_KEY used to sign Superset session cookies, directly preventing use of the known default value.
Mandates protection of session authenticity through secure mechanisms, which fails when the default SECRET_KEY allows predictable cookie signing and session forgery.
Requires secure management of authenticators and their underlying secrets, addressing the need to replace the default SECRET_KEY that enables unauthorized session authentication.