Security News > 2023 > April > Thousands of Apache Superset servers exposed to RCE attacks
Apache Superset is vulnerable to authentication bypass and remote code execution at default configurations, allowing attackers to potentially access and modify data, harvest credentials, and execute commands.
Apache Superset is an open-source data visualization and exploration tool initially developed for Airbnb before it became a top-level project at the Apache Software Foundation in 2021.
According to a new report by Horizon3, Apache Superset used a default Flask Secret Key to sign authentication session cookies.
As a result, attackers can use this default key to forge session cookies that allow them to log in with administrator privileges to servers that did not change the key.
While the Apache documentation does tell admins to change the secret keys, Horizon3 says that this dangerous default configuration is currently detectable in about 2,000 internet-exposed servers belonging to universities, corporations of varying sizes, government organizations, and more.
The security company has shared a script on GitHub that Apache Superset admins can use to determine if their instance is vulnerable to attacks.
News URL
Related news
- Exploit released for Fortinet RCE bug used in attacks, patch now (source)
- Crafting Shields: Defending Minecraft Servers Against DDoS Attacks (source)
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks (source)
- New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks (source)
- New HTTP/2 DoS attack can crash web servers with a single connection (source)
- Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks (source)
- Apache Cordova App Harness Targeted in Dependency Confusion Attack (source)