Two recently found security flaws in Apache Superset have been patched, potentially opening up the possibility of remote code execution on vulnerable servers.
Version 2.1.1 of the upgrade successfully mitigates CVE-2023-39265 and CVE-2023-37941. If hostile actors are successful in taking over Superset’s metadata database, they may be able to use these flaws to carry out damaging operations.
The most recent Superset version fixes these vulnerabilities in addition to a separate problem with incorrect REST API permissions (CVE-2023-36388). Low-privilege users are no longer able to launch SSRF attacks thanks to this update.
“Superset, as part of its design, allows privileged users to establish connections with various databases and execute arbitrary SQL queries through the potent SQLLab interface,” Naveen Sunkavally from Horizon3.ai revealed in a thorough investigation.
A potential security flaw exists, though: “If Superset can be made to connect to its own metadata database, an attacker can directly access and change application configuration via SQLLab. By doing so, remote code execution and credential theft are made possible.
CVE-2023-39265 is associated with a URI bypass in connecting to the SQLite database utilized for the metastore. Attackers are able to manipulate data thanks to this weakness. Additionally, a vulnerability linked to the lack of validation while importing SQLite database connection details from a file exists under the same CVE number. Importing a ZIP archive file that had been maliciously created might take advantage of this vulnerability.
Sunkavally also identified CVE-2023-37941 as a vulnerability that affects Superset versions 1.5 to 2.1.0. He clarified that these versions use the pickle module in Python to store particular configuration information.
The problem here is that a malicious pickle payload might be inserted into the store by an attacker with write access to the metadata database. They can then cause this payload’s deserialization, leading to remote code execution. Since it effectively enables an attacker to execute code on the target system, this raises major security concerns.
Only a few months prior, the cybersecurity firm had disclosed another serious problem (CVE-2023-27524, CVSS score: 8.9). These recurrent vulnerabilities underline the significance of rapid software patching and maintenance to thwart malicious actors.
It has been noted that a sizable portion of Superset servers still use default or readily guessed SECRET_KEYs after the bug was made public in April 2023. This is a security risk since systems that use weak or default keys are more susceptible to intrusions. To improve security and lower the danger of exploitation, Horizon3.ai proposes that the product’s maintainers take into account including functionality for automatically creating powerful SECRET_KEYs.
Read Also
- A Major APT28 Cyberattack on Critical Energy Infrastructure Thwarted by Ukraine’s CERT
- FreeWorld Ransomware Expected to be Used By Threat Actors Targeting Microsoft SQL
- SapphireStealer Malware Allowing for Espionage and Ransomware Operations
Bethany Wilson 
