CVE-2023-27524 — Apache superset missing check for default SECRET_KEY

Description

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.

How to fix CVE-2023-27524

To remediate CVE-2023-27524, upgrade the affected package to a fixed version below.

—upgrade to 2.0.2 or later
—upgrade to 2.1.0 or later

Is CVE-2023-27524 being exploited?

Yes — CVE-2023-27524 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (2)

from 0, < 2.0.2
from 0, < 2.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-27524
PATCHgithub.com/apache/superset
WEBgithub.com/apache/superset/commit/b180319bbf08e876ea84963220ebebbfd0699e03
WEBlists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk