| Product and Affected Versions: The Apache Superset open source data visualization software is affected by a dangerous default configuration vulnerability. Versions up to and including 2.0.1 are vulnerable to this flaw |
| Severity and CVE ID: The vulnerability is tracked as CVE-2023-27524 and has a CVSS score of 8.9, which is considered critical. |
| Vulnerability: The vulnerability arises due to the use of a default SECRET_KEY that could be exploited by attackers to authenticate and access unauthorized resources on internet-exposed installations. The flaw enables an unauthenticated attacker to gain remote code execution, harvest credentials, and compromise data. |
| How Attack Works: An attacker who has knowledge of the secret key could sign in to the servers as an administrator by forging a session cookie and seize control of the systems. The vulnerability does not impact instances that have changed the default value for the SECRET_KEY config to a more cryptographically secure random string. |
| Remediations: The project maintainers have released fixes to plug the security hole by preventing the server from starting up altogether if it’s configured with the default SECRET_KEY. The vulnerability news team advised to update their systems to version 2.1 or above. The vulnerability news team also recommended to override the default SECRET_KEY with a more cryptographically secure random string. In conclusion, the Apache Superset vulnerability highlights the importance of implementing strong cyber security best practices such as using secure default configurations and keeping software up-to-date, to prevent attacks and maintain the security of sensitive data. |
