CVE-2023-27524: Insecure Default Initialization of Resource

April 24, 2023 (updated January 21, 2024)

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.

References

www.openwall.com/lists/oss-security/2023/04/24/2
github.com/advisories/GHSA-5cx2-vq3h-x52c
github.com/apache/superset/commit/b180319bbf08e876ea84963220ebebbfd0699e03
lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk
nvd.nist.gov/vuln/detail/CVE-2023-27524

Code Behaviors & Features

Detect and mitigate CVE-2023-27524 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →