Apache Superset vulnerability leaves servers vulnerable to RCE attacks

News 2023-09-10 09:40:17 views: null

aae78fb00f77a60445fe2913874d3202.gif Focus on source code security and collect the latest information at home and abroad!

Compiled by: Code Guard

Apache Superset fixes two vulnerabilities that could have allowed an attacker to gain remote code execution on an affected system.

d6c4983c8076a35622c44b81ee9cfb2c.png

Apache Superset updated version 2.1.1 fixes two vulnerabilities, CVE-2023-39265 and CVE-2023-37941. Once malicious actors gain control of the Superset metadata database, they can exploit these two vulnerabilities to perform malicious operations.

In addition to these two vulnerabilities, the latest version of Superset also fixes a REST API improper permissions issue CVE-2023-36388, which can allow low-privileged users to perform server-side request forgery attacks. Naveen Sunkavally, a researcher at Horizon3.ai, noted in a technical detail that "Superset is designed to enable privileged users to connect to arbitrary databases and perform arbitrary SQL requests on those databases using the powerful SQLLab interface. If Superset can be tricked into connecting To its own metadata database, the attacker can read or write the application configuration directly through SQLLab, thereby harvesting credentials and executing code remotely.”

CVE-2023-39265 is related to bypassing URIs when connecting to SQLite databases used for metadata storage, allowing attackers to execute data manipulation commands. The CVE vulnerability also involves a lack of validation of SQLite database connection information imported from files, which can be abused to import maliciously constructed ZIP compressed files. Sunkavally said, "Superset versions 1.5 to 2.1.0 use Python's pickle package to store certain configuration data. An attacker with write access to the metadata database can insert an arbitrary pickle payload into the storage, triggering deserialization, resulting in Remote Code Execution Consequences.”

The new version of Superset also fixes the following defects:

  • A MySQL arbitrary file read vulnerability can be exploited to gain credentials to the metadata database.

  • Abusing the superset load_examples command to obtain the metadata database URI from the user interface and modify the data stored in it.

  • Use default credentials in some Superset programs to access the metadata database.

  • When querying the /api/v1/database API as a privileged user, database credentials are leaked in clear text (CVE-2023-30776, fixed in version 2.1.0).

More than four months ago, Apache disclosed a high-severity vulnerability in the product, CVE-2023-27524 (CVSS score 8.9), which could allow an unauthorized attacker to gain administrator rights on the server and execute arbitrary code. The issue is caused by the use of the default SECRET_KEY, which allows an attacker to authenticate and access unauthorized resources of the installer exposed on the Internet.

Horizon3.ai mentioned that since its public disclosure in April 2023, 2076 of the 3842 Superset servers still use SECRET_KEY, of which 72 instances use very easy-to-guess SECRET_KEY such as superset, SUPERSET_SECRET_KEY, 1234567890, admin, changeme, thisisasecretkey, and your_secret_key_here.

Sunkavally said, “Users should set Flask SECRET_KEY, which has led to some users setting weak keys.” Therefore, he urged maintainers to add support for the automatic key generation function. “The root cause of many vulnerabilities is that the Superset web interface allows users to Connect to the metadata database."

Code Guard trial address: https://codesafe.qianxin.com

Open source guard trial address: https://oss.qianxin.com

Recommended reading

Apache Ivy Injection Vulnerability Could Allow Attackers to Extract Sensitive Data

Unpatched Apache Tomcat Server Spreads Mirai Botnet Malware

Critical RCE Vulnerability in Apache Jackrabbit

Apache Superset session authentication vulnerability could allow attackers to access unauthorized resources

Apache Linkis Fixes Multiple Vulnerabilities

Original link

https://thehackernews.com/2023/09/alert-apache-superset-vulnerabilities.html

Title image: Pexels License

This article was compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate "Reprinted from Qianxin Code Guard https://codesafe.qianxin.com" when reprinting.

3f6da96a890546de0d897b513da77171.jpeg

2a1ae3b2117d8080ef1cd4e4214219b8.jpeg

Qi Anxin code guard (codesafe)

The first domestic product line focusing on software development security.

   8e464929ee5739dcc1571201e5cdcf50.gif If you think it’s good, just click “Looking” or “Like”~

Guess you like

Origin blog.csdn.net/smellycat000/article/details/132769712
Recommended
Rushing to the GitHub hot list——How can open source programming languages and frameworks be so cute?
Beijing Humanoid Robot Innovation Center launches Tiangong, the world's first full-size humanoid robot with purely electric drive for anthropomorphic running
Ranking
8个无需编写代码即可使用 Python 内置库的方法
Java collections interview knowledge Lite
Machine learning algorithms foundation - Introduction a (watermelon materials for the book)
(Easy) Ransom Note - LeetCode
[Five days] Qt from entry to actual combat: the second day
Remember once extremely pit father can not download Maven Jar package of issues: IDEA question
The minimum cost Shortest
OSPF study map (the most complete version)
Network Takeaways
GnuPG
Daily
More
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)

Code World

© 2018 codetd.com