Apache Superset Insecure Default Config Can Lead To Remote Code Execution

Horizon3.ai today published “CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution.”

CVE-2023-27524 is described by Horizon3.ai Chief Architect Naveen Sunkavally in this manner:

“a dangerous default configuration in Apache Superset that allows an unauth attacker to gain remote code execution, harvest credentials, and compromise data. We estimate there are roughly 2K+ servers on the Internet affected by this issue.”

Apache Superset is an open source data visualization and exploration tool. It has over 50,000 stars on GitHub, and there are more than 3000 instances of it exposed to the Internet.

Horizon3.ai research found that at least two-thirds of all servers (2000) – are running with a dangerous default configuration. As a result, many of these servers are effectively open to the public. Any attacker can “log in” to these servers with administrative privileges, access and modify data connected to these servers, harvest credentials, and execute remote code. 

Horizon3.ai’s post is a deep dive into the misconfiguration, and provides advice for remediation as well as indicators of compromise that users of Superset should look for. The findings were published after the Foundation completed due diligence.

NIST describes CVE-2023-27524 as follows:

“Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.

If you run Apache Superset, this is required reading for you.

Leave a Reply

%d bloggers like this: