CVE-2023-27524
unknown
KEV
CVSS v3
—
CVSS v2
—
VIR risk
1.5
Description
Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions.
CISA KEV
- Vendor
- Apache
- Product
- Superset
- Due date
- 2024-01-29
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk; https://nvd.nist.gov/vuln/detail/CVE-2023-27524
Exploits
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | apache-superset | <2.1.0 | 2.1.0 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-27524
- https://github.com/apache/superset/commit/b180319bbf08e876ea84963220ebebbfd0699e03
- https://github.com/apache/superset
- https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk
- https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html
- https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27524
- https://www.openwall.com/lists/oss-security/2023/04/24/2
- http://www.openwall.com/lists/oss-security/2023/04/24/2
- https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk; https://nvd.nist.gov/vuln/detail/CVE-2023-27524
Verify integrity in audit chain (admin only). AS-IS.