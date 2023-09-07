Patches have been released to address two security vulnerabilities in Apache SuperSet, version 2.1.1. These vulnerabilities, known as CVE-2023-39265 and CVE-2023-37941, could potentially allow an attacker to execute remote code on affected systems. The vulnerabilities specifically target SuperSet’s metadata database.

In addition to these vulnerabilities, the update also addresses a separate issue with improper REST API permissions, known as CVE-2023-36388. This vulnerability allows low-privilege users to carry out server-side request forgery (SSRF) attacks.

According to a technical write-up by Horizon3.ai’s Naveen Sunkavally, SuperSet’s design allows privileged users to connect to various databases and execute SQL queries using the SQLLab interface. If SuperSet is tricked into connecting to its own metadata database, an attacker can read or write application configurations, resulting in the harvest of credentials and remote code execution.

CVE-2023-39265 enables an attacker to bypass URI checks when connecting to the SQLite database used for the metastore. This allows for the execution of data manipulation commands. Additionally, this vulnerability allows for the import of a maliciously crafted ZIP archive file through the lack of validation when importing SQLite database connection information from a file.

CVE-2023-37941 affects SuperSet versions from 1.5 to 2.1.0 and involves the use of Python’s pickle package to store certain configuration data. An attacker with write access to the metadata database can insert an arbitrary pickle payload and trigger its deserialization, leading to remote code execution.

The latest release of SuperSet also addresses other vulnerabilities, such as an arbitrary file read vulnerability in MySQL that can be exploited to obtain credentials for the metadata database, the abuse of the superset load_examples command to modify data stored in the metadata database, the use of default credentials to access the metadata database, and the leakage of database credentials in plaintext when querying the /api/v1/database API as a privileged user (CVE-2023-30776, fixed in 2.1.0).

Furthermore, it was discovered that a high-severity flaw (CVE-2023-27524) in SuperSet could enable unauthorized attackers to gain admin access to servers and execute arbitrary code. This flaw resulted from the use of a default SECRET_KEY that could be exploited by attackers. Since its public disclosure in April 2023, a significant number of SuperSet servers continue to use default or easily guessable SECRET_KEY values.

In conclusion, the latest update for Apache SuperSet addresses several security vulnerabilities, including the potential for remote code execution and unauthorized access to servers. It is crucial for users to apply the patches promptly to ensure the security of their systems.

Mənbə:

– https://horizon3.ai/blog/superset-remote-code-execution-through-metadata-database/

– https://horizon3.ai/blog/superset-remote-code-execution-through-invalidated-pickle-payloads/