mirror of
https://github.com/0xMarcio/cve.git
synced 2025-05-06 02:31:38 +00:00
3.3 KiB
3.3 KiB
CVE-2023-27524
Description
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database.Add a strong SECRET_KEY to your superset_config.py file like:SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY>Alternatively you can set it with SUPERSET_SECRET_KEY environment variable.
POC
Reference
- http://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html
- http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html
- https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html
- https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html
Github
- https://github.com/0day404/vulnerability-poc
- https://github.com/20142995/sectool
- https://github.com/Awrrays/FrameVul
- https://github.com/CN016/Apache-Superset-SECRET_KEY-CVE-2023-27524-
- https://github.com/CVEDB/awesome-cve-repo
- https://github.com/CVEDB/top
- https://github.com/KayCHENvip/vulnerability-poc
- https://github.com/MaanVader/CVE-2023-27524-POC
- https://github.com/Mr-xn/Penetration_Testing_POC
- https://github.com/NguyenCongHaiNam/Research-CVE-2023-27524
- https://github.com/Okaytc/Superset_auth_bypass_check
- https://github.com/Ostorlab/KEV
- https://github.com/Pari-Malam/CVE-2023-27524
- https://github.com/TardC/CVE-2023-27524
- https://github.com/ThatNotEasy/CVE-2023-27524
- https://github.com/Threekiii/Awesome-POC
- https://github.com/Threekiii/CVE
- https://github.com/XRSec/AWVS-Update
- https://github.com/abrahim7112/Vulnerability-checking-program-for-Android
- https://github.com/aleksey-vi/offzone_2023
- https://github.com/aleksey-vi/presentation-report
- https://github.com/antx-code/CVE-2023-27524
- https://github.com/d-rn/vulBox
- https://github.com/d4n-sec/d4n-sec.github.io
- https://github.com/gobysec/Research
- https://github.com/hktalent/TOP
- https://github.com/horizon3ai/CVE-2023-27524
- https://github.com/jakabakos/CVE-2023-27524-Apache-Superset-Auth-Bypass-and-RCE
- https://github.com/karthi-the-hacker/CVE-2023-27524
- https://github.com/kovatechy/Cappricio
- https://github.com/lions2012/Penetration_Testing_POC
- https://github.com/machevalia/ButProxied
- https://github.com/necroteddy/CVE-2023-27524
- https://github.com/netlas-io/netlas-dorks
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/nvn1729/advisories
- https://github.com/summerainX/vul_poc
- https://github.com/todb-cisa/kev-cwes
- https://github.com/togacoder/superset_study