Connect with us

Hi, what are you looking for?



CISA Warns of Apache Superset Vulnerability Exploitation

CISA has added a critical-severity Apache Superset flaw (CVE-2023-27524) to its Known Exploited Vulnerabilities catalog.

The US cybersecurity agency CISA on Monday announced that it has added six more entries to its Known Exploited Vulnerabilities (KEV) catalog, including an Apache Superset bug disclosed in April 2023.

Apache Superset is an open source application written in Python that allows users to explore and visualize large amounts of data.

Superset is based on the Flask web framework and it relies on session cookies signed with a secret key for authentication.

The secret key is meant to be randomly generated but, in April last year, penetration testing firm warned that, upon installation, Superset would default the key to a specific value and that roughly 2,000 Superset instances accessible from the internet were using the default key.

An attacker could use the default session key to log in as an administrator to these Superset instances, access the databases connected to the application, tamper with them, and execute code remotely.

“By default, database connections are set up with read-only permissions but an attacker with admin access can enable writes and DML (data model language) statements. The powerful SQL Lab interface allows attackers to run arbitrary SQL statements against connected databases,” said.

The issue was initially discovered in 2021, with the secret key value rotated in 2022 to a new default, and a warning added to the logs. Superset version 2.1 resolves the bug, now tracked as CVE-2023-27524, by preventing the server from starting if the secret key value is the default one.

With CISA adding the vulnerability to the KEV catalog, it means that threat actors have started exploiting it in the wild. The agency, however, does not provide specific details on the observed attacks.

Advertisement. Scroll to continue reading.

CISA also added to KEV two recently resolved Adobe ColdFusion flaws (CVE-2023-38203 and CVE-2023-29300), a code execution bug in Apple products (CVE-2023-41990), an improper access check issue in Joomla (CVE-2023-23752), and a command injection issue in D-Link DSL-2750B devices (CVE-2016-20017).

The Binding Operational Directive (BOD) 22-01 requires that federal agencies identify vulnerable products within their networks and apply available patches and mitigations within 21 days after a vulnerability is added to CISA’s KEV list.

While BOD 22-01 only applies to federal agencies, all organizations are encouraged to review the KEV catalog and prioritize patching for the vulnerabilities in it, or discontinue the use of the impacted products where mitigations are not available.

Related: CISA Warns of Attacks Exploiting Adobe Acrobat Vulnerability

Related: CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks

Related: 557 CVEs Added to CISA’s Known Exploited Vulnerabilities Catalog in 2022

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.