CVE-2023-27524

KEV
Published: Apr 24, 2023 Last Modified: Feb 26, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 8,9
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: low

Description

AI Translation Available

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.

All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database.
Add a strong SECRET_KEY to your `superset_config.py` file like:

SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY>

Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,8409
Percentile
1,0th
Updated

EPSS Score Trend (Last 91 Days)

1188

Initialization of a Resource with an Insecure Default

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Other
Potential Impacts:
Varies By Context
Applicable Platforms
All platforms may be affected
View CWE Details
Exploit

Apache Superset 2.0.0 - Authentication Bypass

Apache Superset 2.0.0 - Authentication Bypass

Author: MaanVader Published:
View Exploit Code →
Application

Superset by Apache

Product Information
Vendor Apache
Product Superset
Version Range Affected
To 2.0.1 (inclusive)
cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://www.cisa.gov/known-exploited-vulnerabilities-catalo…
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023…
https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvo…
https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk
https://packetstormsecurity.com/files/172522/Apache-Superse…
https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authenticati…
https://packetstormsecurity.com/files/175094/Apache-Superse…
https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-…
https://www.openwall.com/lists/oss-security/2023/04/24/2
https://www.openwall.com/lists/oss-security/2023/04/24/2
https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvo…
https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk
https://packetstormsecurity.com/files/172522/Apache-Superse…
https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authenticati…
https://packetstormsecurity.com/files/175094/Apache-Superse…
https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-…
https://www.openwall.com/lists/oss-security/2023/04/24/2
https://www.openwall.com/lists/oss-security/2023/04/24/2