Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2023-27524

Description

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database.Add a strong SECRET_KEY to your `superset_config.py` file like:SECRET_KEY = Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.

POC

Reference

- http://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html

- http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html

- https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html

- https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html

Github

- https://github.com/0day404/vulnerability-poc

- https://github.com/20142995/sectool

- https://github.com/Awrrays/FrameVul

- https://github.com/CN016/Apache-Superset-SECRET_KEY-CVE-2023-27524-

- https://github.com/CVEDB/awesome-cve-repo

- https://github.com/CVEDB/top

- https://github.com/Cappricio-Securities/CVE-2022-21371

- https://github.com/Cappricio-Securities/CVE-2023-27524

- https://github.com/Cappricio-Securities/CVE-2024-0235

- https://github.com/J1ezds/Vulnerability-Wiki-page

- https://github.com/KayCHENvip/vulnerability-poc

- https://github.com/Lucky-7Lee/WHS-vulhub

- https://github.com/MaanVader/CVE-2023-27524-POC

- https://github.com/Mr-xn/Penetration_Testing_POC

- https://github.com/NguyenCongHaiNam/Research-CVE-2023-27524

- https://github.com/Okaytc/Superset_auth_bypass_check

- https://github.com/Ostorlab/KEV

- https://github.com/Pari-Malam/CVE-2023-27524

- https://github.com/TardC/CVE-2023-27524

- https://github.com/ThatNotEasy/CVE-2023-27524

- https://github.com/Threekiii/Awesome-POC

- https://github.com/Threekiii/CVE

- https://github.com/XRSec/AWVS-Update

- https://github.com/XiaomingX/awesome-poc-for-red-team

- https://github.com/ZZ-SOCMAP/CVE-2023-27524

- https://github.com/abrahim7112/Vulnerability-checking-program-for-Android

- https://github.com/aleksey-vi/offzone_2023

- https://github.com/aleksey-vi/presentation-report

- https://github.com/antx-code/CVE-2023-27524

- https://github.com/bright-angel/sec-repos

- https://github.com/cc8700619/poc

- https://github.com/cyberwithcyril/VulhubPenTestingReport

- https://github.com/d-rn/vulBox

- https://github.com/d4n-sec/d4n-sec.github.io

- https://github.com/dedcrowd/wordpress

- https://github.com/gobysec/Research

- https://github.com/h1n4mx0/Research-CVE-2023-27524

- https://github.com/hktalent/TOP

- https://github.com/horizon3ai/CVE-2023-27524

- https://github.com/hunthack3r/wordpress

- https://github.com/jakabakos/CVE-2023-27524-Apache-Superset-Auth-Bypass-and-RCE

- https://github.com/karthi-the-hacker/CVE-2023-27524

- https://github.com/kovatechy/Cappricio

- https://github.com/labc-dev/CVE-2024-34693

- https://github.com/lions2012/Penetration_Testing_POC

- https://github.com/machevalia/ButProxied

- https://github.com/mbadanoiu/CVE-2024-34693

- https://github.com/necroteddy/CVE-2023-27524

- https://github.com/netlas-io/netlas-dorks

- https://github.com/nomi-sec/PoC-in-GitHub

- https://github.com/nvn1729/advisories

- https://github.com/summerainX/vul_poc

- https://github.com/todb-cisa/kev-cwes

- https://github.com/togacoder/superset_study