Apache Superset RCE Vulnerabilities
Share this:
Apache has fixed a couple of security vulnerabilities in its product, Apache SuperSet, that could be exploited by an attacker to gain remote code execution on vulnerable systems.
The vulnerabilities tracked as CVE-2023-39265 and CVE-2023-37941, that could be exploited to take control of Superset’s metadata database.
Researchers found that Superset by design allows privileged users to connect to arbitrary databases and execute arbitrary SQL queries using the SQLLab interface. By tricking Superset into connecting to its own metadata database, an attacker can directly read or write application configuration through the interface, potentially leading to credential harvesting and remote code execution.
By default, Superset uses SQLite as its metadata database, and the SQLite file is located on the Superset web server. Attempting to connect to this SQLite database through the Superset UI doesn’t work, as Superset has safeguards in place to prevent sqlite connections.
It’s possible to bypass this safeguard by putting in the full SQLAlchemy URI containing both the dialect and driver name, e.g. sqlite+pysqlite:////app/superset_home/superset.db“
The URI bypass flaw CVE-2023-39265 affects Superset versions <= 2.1.0. The flaw was fixed by blocking any SQLAlchemy URIs starting with sqlite instead of just blocking the sqlite:// syntax.
Certain installations of Superset, such as docker-compose, use default credentials to access the metadata database. An attacker that knows the default credentials can connect to the metadata database and gain control over it.
The second vulnerability, tracked as CVE-2023-37941, is a remote code execution. Superset versions from 1.5 to 2.1.0 use python’s pickle package to store certain configuration data. Threat actors with write access to the metadata database can insert an arbitrary pickle payload into the store and then trigger deserialization of it, leading to remote code execution.
The latest version also fixed a leak of database credentials in plaintext when querying the /api/v1/database API as a privileged user. This issue has been tracked as CVE-2023-30776.
Nice Post.