Security News > 2023 > April > Apache Superset: A story of insecure default keys, thousands of vulnerable systems, few paying attention

Apache Superset until earlier this year shipped with an insecure default configuration that miscreants could exploit to login and take over the data visualization application, steal data, and execute malicious code.

Ai again checked to see how many Superset instances were configuring their app with a public default secret key.

Out of 3,176 Superset instances, 2,124 were using one of the four default keys.

"With this update, many new users of Superset will no longer unintentionally shoot themselves in the foot," said Sunkavally, who cautioned that it's still possible to end up with an insecure version of Superset if the software is installed via a docker-compose file or a helm template.

"The docker-compose file contains a new default SECRET KEY of TEST NON DEV SECRET that we suspect some users will unwittingly run Superset with. Some configurations also set admin/admin as the default credential for the admin user."

The 2,000+ vulnerable Superset instances identified were operated by companies large and small, government agencies, and universities, according to Sunkavally, who added that some of these organizations addressed the vulnerability after being notified about it.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/04/25/apache_superset_cve/