⚠ Actively exploited
Added to CISA KEV on 2024-01-08. Federal agencies required to patch by 2024-01-29. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..
CVE-2023-27524 — Initialization of a Resource with an Insecure Default in Software Foundation Apache Superset
Severity
9.8CRITICALNVD
CNA8.9VulnCheck8.9
EPSS
84.0%
top 0.70%
CISA KEV
KEV
Added 2024-01-08
Due 2024-01-29
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedApr 24
KEV addedJan 8
KEV dueJan 29
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.
All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages2 packages
🔴Vulnerability Details
4CVEList
▶
💥Exploits & PoCs
2Nuclei▶
Apache Superset - Authentication Bypass