Apache Superset default secret key issue exploited by attackers
Take action: If you are using Apache Superset version older than 2.1 and haven't changed the secret key, you have two options: Change the secret key, or patch. Whatever you do, do it IMMEDIATELY, especially if your instance is exposed to the internet. If you are not sure about the secret key, assume it's not changed. Or just wait for hackers to check for you.
Learn More
CISA is warning of an active exploit of a well known bug in Apache Superset, reported in April 2023 and tracked as CVE-2023-27524 (CVSS score 9.8). Apache Superset is a Python-based open-source application for data exploration and visualization.
This vulnerability arose because, by default, Superset used a specific, non-random secret key for generating authentication tokens. An attacker having access to the secret key of an instance can craft a token that's valid to that instance and log in. The users should change this secret key upon installation, but there are at least 2,000 internet-exposed instances of Superset vulnerable because they are still using the default secret key.
This flaw could allow attackers to gain admin access, modify database connections, and execute arbitrary SQL statements.
The issue, identified first in 2021 and addressed in Superset version 2.1.
Initially discovered in 2021 and partially addressed in 2022, the vulnerability was fully resolved in Superset version 2.1, which prevents server startup with the default key. CISA's has not provided details of the active attacks, although the attack would be fairly easy to craft and automate.