Apache Superset, an open source data visualization software, was found to have an insecure default configuration that could lead to remote code execution.
CVE-2023-27524 was assigned to this vulnerability with a CVSS score of 8.9 and affects versions up to and including 2.0.1.
918 out of 1,288 publicly-accessible servers were found to be using the default configuration in October 2021.
A new update was released on April 5, 2023, to plug the security hole by preventing the server from starting up altogether if it’s configured with the default SECRET_KEY.
Despite the fix, it is still possible to run Superset with a default SECRET_KEY if it’s installed through a docker-compose file or a helm template.
Horizon3.ai has also made available a Python script to determine if Superset instances are susceptible to the flaw.
π Feeling the vibes?
Keep the good energy going by checking out my Amazon affiliate link for some cool finds! ποΈ
If not, consider contributing to my caffeine supply at Buy Me a Coffee βοΈ.
Your clicks = cosmic support for more awesome content! ππ
Leave a Reply