CVE-2021-41192

Name of the Vulnerable Software and Affected Versions Redash versions 10.0.0 and prior

Description Redash is a package for data visualization and sharing. If an admin sets up Redash without explicitly specifying the REDASH COOKIE SECRET or REDASH SECRET KEY environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value. This issue only affects installations where the REDASH COOKIE SECRET or REDASH SECRET KEY environment variables have not been explicitly set. Users of the official Redash cloud images, Redash's Digital Ocean marketplace droplets, or the scripts in the getredash/setup repository are not affected, as these instances automatically generate unique secret keys during installation. One can verify whether their instance is affected by checking the value of the REDASH COOKIE SECRET environment variable. If it is c292a0a3aa32397cdb050e233733900f, they should follow the steps to secure the instance.

Recommendations To secure the instance, follow the steps outlined in the GitHub Security Advisory if the REDASH COOKIE SECRET environment variable is c292a0a3aa32397cdb050e233733900f. As a temporary workaround, consider regenerating the REDASH COOKIE SECRET and REDASH SECRET KEY environment variables with unique values to prevent session forgery. Restrict access to the Redash instance until the issue is resolved.