CVE-2023-27524
HIGH8.9⚠ KEVEPSS 84.0%Apache superset missing check for default SECRET_KEY
Published: 4/24/2023Modified: 10/22/2025Added to CISA KEV: 1/8/2024
Description
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.
Affected packages (2)
- Bitnami/supersetfrom 0, < 2.0.2
- PyPI/apache-supersetfrom 0, < 2.1.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-27524
- PATCHhttps://github.com/apache/superset
- WEBhttps://github.com/apache/superset/commit/b180319bbf08e876ea84963220ebebbfd0699e03
- WEBhttps://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk
- WEBhttps://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html
- WEBhttps://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html
- WEBhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27524
- WEBhttps://www.openwall.com/lists/oss-security/2023/04/24/2
- WEBhttp://www.openwall.com/lists/oss-security/2023/04/24/2