Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,493
- Points
- 113
The developers have already released a fix, and you need to apply it as soon as possible.
Apache released updates that address two new vulnerabilities in the popular analytics platform SuperSet. Exploiting these vulnerabilities (CVE-2023-39265 and CVE-2023-37941 ) allows an attacker to gain remote access and control over the system.
The update to version 2.1.1 also fixes a separate issue with incorrect access rights to the REST API (CVE-2023-36388), which allowed users with low privileges to conduct SSRF attacks.
According to security experts from Horizon3, the SuperSet platform was originally designed to provide privileged users with access to arbitrary databases and the ability to execute SQL queries. If an attacker manages to connect to the metadata of the SuperSet itself, they will be able to access the configuration and credentials, as well as execute arbitrary code.
Vulnerability CVE-2023-39265 is related to bypassing URI verification when connecting to the SQLite metadata database, which allows performing arbitrary operations with data. This vulnerability is also attributed to the lack of verification when importing information about connecting to SQLite from a file, which can be used by attackers to import malicious files.
CVE-2023-37941 allows you to inject an arbitrary payload into a metadata repository and execute it remotely. This vulnerability is related to the use of the "pickle" library for data serialization. An attacker who has gained access to a record in the metadata database can inject malicious code that will be deserialized and executed on the server.
Other bugs fixed in the latest version of SuperSet include:
Experts recommend generating a unique "SECRET_KEY" for each SuperSet configuration, rather than using the default values. This will allow you to avoid compromising the system by intruders.
According to Horizon3, more than 2,000 of the approximately 4,000 public SuperSet servers still use default keys. About 70 systems have guessable keys like "superset " or"123456".
Experts believe that the root of many problems lies in the fact that the SuperSet web interface initially allows you to connect to the metadata database. This opens up opportunities for attacks, allowing you to manipulate the configuration and data.
The developers promise to restrict access to metadata in the future and implement automatic key generation. Users are strongly encouraged to install the latest updates and check their system security settings.
Vulnerabilities in popular Open Source solutions, such as SuperSet, can pose serious security risks for organizations. Experts urge you to monitor the release of updates and install them in a timely manner. It is also important to properly configure the system and not use the default credentials and keys.
Apache released updates that address two new vulnerabilities in the popular analytics platform SuperSet. Exploiting these vulnerabilities (CVE-2023-39265 and CVE-2023-37941 ) allows an attacker to gain remote access and control over the system.
The update to version 2.1.1 also fixes a separate issue with incorrect access rights to the REST API (CVE-2023-36388), which allowed users with low privileges to conduct SSRF attacks.
According to security experts from Horizon3, the SuperSet platform was originally designed to provide privileged users with access to arbitrary databases and the ability to execute SQL queries. If an attacker manages to connect to the metadata of the SuperSet itself, they will be able to access the configuration and credentials, as well as execute arbitrary code.
Vulnerability CVE-2023-39265 is related to bypassing URI verification when connecting to the SQLite metadata database, which allows performing arbitrary operations with data. This vulnerability is also attributed to the lack of verification when importing information about connecting to SQLite from a file, which can be used by attackers to import malicious files.
CVE-2023-37941 allows you to inject an arbitrary payload into a metadata repository and execute it remotely. This vulnerability is related to the use of the "pickle" library for data serialization. An attacker who has gained access to a record in the metadata database can inject malicious code that will be deserialized and executed on the server.
Other bugs fixed in the latest version of SuperSet include:
- vulnerability for reading arbitrary MySQL files that can be used to get credentials from the database;
- abusing the "load_examples" command to get the metadata database URI from the user interface and modify the data stored in it;
- using default credentials to access the metadata database in some SuperSet configurations;
- plaintext credentials leak when requesting the API "/api/v1/database " on behalf of a privileged user.
Experts recommend generating a unique "SECRET_KEY" for each SuperSet configuration, rather than using the default values. This will allow you to avoid compromising the system by intruders.
According to Horizon3, more than 2,000 of the approximately 4,000 public SuperSet servers still use default keys. About 70 systems have guessable keys like "superset " or"123456".
Experts believe that the root of many problems lies in the fact that the SuperSet web interface initially allows you to connect to the metadata database. This opens up opportunities for attacks, allowing you to manipulate the configuration and data.
The developers promise to restrict access to metadata in the future and implement automatic key generation. Users are strongly encouraged to install the latest updates and check their system security settings.
Vulnerabilities in popular Open Source solutions, such as SuperSet, can pose serious security risks for organizations. Experts urge you to monitor the release of updates and install them in a timely manner. It is also important to properly configure the system and not use the default credentials and keys.
