CVE-2023-27524
| CVE Published | 2023-04-24 |
|---|---|
| Related CWE(s) | CWE-1188: Initialization of a Resource with an Insecure Default |
| Related Vendor(s) | apache |
| Related Product(s) | superset |
| Exploitation Reported (CISA KEV) | 2024-01-08 |
| CVSS 3 Base Score | 9.8 (CRITICAL) |
| CVSS 3 Attack Complexity | LOW |
| CVSS 3 Attack Vector | NETWORK |
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.
All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database.
Add a strong SECRET_KEY to your superset_config.py file like:
SECRET_KEY =
Alternatively you can set it with SUPERSET_SECRET_KEY environment variable.
Cyber Threat Graph Context
Explore how this CVE relates to the wider threat graph