Security News > 2023 > September > Alert: Apache SuperSet Vulnerabilities Expose Servers to Remote Code Execution Attacks

Patches have been released to address two new security vulnerabilities in Apache SuperSet that could be exploited by an attacker to gain remote code execution on affected systems.

Outside of these weaknesses, the latest version of Superset also remediates a separate improper REST API permission issue that allows for low-privilege users to carry out server-side request forgery attacks.

"If Superset can be tricked into connecting to its own metadata database, an attacker can directly read or write application configuration through SQLLab. This leads to harvesting credentials and remote code execution."

"An attacker with write access to the metadata database can insert an arbitrary pickle payload into the store, and then trigger deserialization of it, leading to remote code execution."

Ai said 2076 out of 3842 Superset servers are still using a default SECRET KEY, with about 72 instances using a trivially guessable SECRET KEY like superset, SUPERSET SECRET KEY, 1234567890, admin, changeme, thisisasecretkey, and your secret key here.

"At the root of many of the vulnerabilities is the fact that the Superset web interface permits users to connect to the metadata database. At the root of many of the vulnerabilities in this post is the fact that the Superset web interface permits users to connect to the metadata database."

News URL

https://thehackernews.com/2023/09/alert-apache-superset-vulnerabilities.html