Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-04-24T15:28:16.573Z

Updated: 2024-08-02T12:16:35.472Z

Reserved: 2023-03-02T13:28:19.726Z

Link: CVE-2023-27524

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-04-24T16:15:07.843

Modified: 2024-11-21T07:53:05.773

Link: CVE-2023-27524

cve-icon Redhat

No data.