Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-27524 PoC — Apache Superset: Session validation vulnerability when using provided default SECRET_KEY

Source
https://github.com/ThatNotEasy/CVE-2023-27524
Associated Vulnerability
Title:Apache Superset: Session validation vulnerability when using provided default SECRET_KEY (CVE-2023-27524)
Description:Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.
Description
Perform With Apache-SuperSet Leaked Token [CSRF]
Readme
## CVE-2023-27524
- Insecure Default Configuration in Apache Superset Leads to Remote Code Execution
## Screenshot
![Screenshot_5](https://user-images.githubusercontent.com/25004320/236394414-6a589e1b-2d74-4f00-a3e7-87467a90e01f.png)
## Requirements
- Python3.7+
## Supported Os
- Linuxer
- Wingays
## Get start with
```
$ git clone https://github.com/Pari-Malam/CVE-2023-27524
$ cd CVE-2023-27524
$ pip/pip3 install -r requirements.txt
$ python/python3 superset.py
```
## Footprints Notes
- By using this tool, you agree that you are using it for educational purposes only and that you will not use it for any illegal activity. You also agree to bear all risks associated with the use of this tool. I will not be responsible for direct or indirect damage caused by the use of this tool. Don't suyyyyyyyyyyyyyyyyyyyy me!
## Author
- Pari Malam
## Contacts
[![Telegram](https://img.shields.io/badge/-Telegram-blue)](https://telegram.me/SurpriseMTFK)
[![Discord](https://img.shields.io/badge/-Discord-purple)](https://discordapp.com/users/829404192585678858)
File Snapshot

 [4.0K]  /data/pocs/f8ba99ed59efda8a009c2bbe5d9b730d40e6fdbf
├── [1.0K]  README.md
├── [  59]  requirements.txt
├── [4.0K]  Results
│   └── [ 171]  Cookies.txt
└── [9.8K]  superset.py

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →