67% of Public Apache Superset Servers Use Access Key from Settings

Researchers from Horizon3 have highlighted safety concerns in the Apache Superset data analysis and visualization system. Out of the 3,176 public servers studied, 2,124 were found to be using a default encryption key in the configuration file. This key generates session cookies in Flask Python, leaving the system open to attackers who can use fictitious session parameters to connect to the Apache Superset interface and upload data from the tied database or affect the performance of the system.

The researchers have informed developers about the issue since 2021 and in the Apache Superset 1.5 release in early 2022, the value of the secret_key parameter was replaced with a more complex random string. Verification was also added to warn users and prompt them to log any given value. However, despite these warnings, 67% of Apache Superset servers continue to use keys in the configuration examples or documentation. Large companies, universities, and state institutions were also found to be using the default keys.

The use of default keys is now seen as a vulnerability (CVE-2023-27524), which has been addressed in the release of Apache Superset 2.1. This update includes error blocking to prevent the deployment of vulnerable platforms. To check if a system is vulnerable, a special script has been created.

/Reports, release notes, official announcements.