Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-27524 PoC — Apache Superset: Session validation vulnerability when using provided default SECRET_KEY

Source
https://github.com/karthi-the-hacker/CVE-2023-27524
Associated Vulnerability
Title:Apache Superset: Session validation vulnerability when using provided default SECRET_KEY (CVE-2023-27524)
Description:Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.
Description
Tool for finding CVE-2023-27524 (Apache Superset - Authentication Bypass)
Readme
# CVE-2023-27524
Tool for finding CVE-2023-27524 (Apache Superset - Authentication Bypass)
File Snapshot

 [4.0K]  /data/pocs/30a9349cd0cf68bdd16a1624de9268b4d663ec01
├── [4.0K]  cve202327524
│   ├── [4.0K]  includes
│   │   ├── [ 659]  bot.py
│   │   ├── [ 470]  filereader.py
│   │   ├── [   0]  __init__.py
│   │   ├── [2.2K]  scan.py
│   │   └── [ 285]  writefile.py
│   ├── [1.7K]  main.py
│   └── [4.0K]  utils
│       ├── [1.9K]  configure.py
│       ├── [ 879]  const.py
│       ├── [2.3K]  helpers.py
│       ├── [   0]  __init__.py
│       └── [ 227]  status.py
├── [1.0K]  LICENSE
└── [  91]  README.md

3 directories, 13 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →