Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.
All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database.
Add a strong SECRET_KEY to your `superset_config.py` file like:
SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY>
Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2023-04-24T15:28:16.573Z
Updated: 2024-08-02T12:16:35.472Z
Reserved: 2023-03-02T13:28:19.726Z
Link: CVE-2023-27524
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-04-24T16:15:07.843
Modified: 2024-11-21T07:53:05.773
Link: CVE-2023-27524
Redhat
No data.