CVE-2023-27524

Name of the Vulnerable Software and Affected Versions Apache Superset versions up to and including 2.0.1

Description The issue concerns a session validation flaw in Apache Superset, where installations that have not altered the default configured SECRET KEY according to installation instructions allow an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET KEY config. The SECRET KEY is used to securely sign all session cookies and encrypt sensitive information on the database. Approximately 2,124 servers are potentially affected, with 67% of open internet-facing servers still using the default configuration.

Recommendations For versions up to and including 2.0.1, add a strong SECRET KEY to your superset config.py file, like SECRET KEY = <YOUR OWN RANDOM GENERATED SECRET KEY>. Alternatively, you can set it with the SUPERSET SECRET KEY environment variable. As a temporary workaround, consider changing the default SECRET KEY to prevent exploitation until a patch is applied or the version is updated. For the best protection, update to version 2.1 or later, which does not allow the server to run with the default SECRET KEY.