===================================================================== CERT-Renater Note d'Information No. 2024/VULN058 _____________________________________________________________________ DATE : 25/01/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Superset versions prior to 3.0.3, Apache Superset Helm chart versions prior to 0.10.15. ===================================================================== https://lists.apache.org/thread/wjyvz8om9nwd396lh0bt156mtwjxpsvx https://lists.apache.org/thread/21yzxjtzpvx12bpqstn6hq18czbzrhtb https://lists.apache.org/thread/o1rjcvnv8csrcvofo2xgqkjz3hs6915n _____________________________________________________________________ CVE-2023-49657: Apache Superset: Stored XSS in Dashboard Title and Chart Title Affected versions: - Apache Superset through 3.0.3 Description: A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS. For 2.X versions, users should change their config to include: TALISMAN_CONFIG = { "content_security_policy": { "base-uri": ["'self'"], "default-src": ["'self'"], "img-src": ["'self'", "blob:", "data:"], "worker-src": ["'self'", "blob:"], "connect-src": [ "'self'", " https://api.mapbox.com" https://api.mapbox.com" ;, " https://events.mapbox.com" https://events.mapbox.com" ;, ], "object-src": "'none'", "style-src": [ "'self'", "'unsafe-inline'", ], "script-src": ["'self'", "'strict-dynamic'"], }, "content_security_policy_nonce_in": ["script-src"], "force_https": False, "session_cookie_secure": False, } Credit: Nick Barnes, Praetorian Security Inc. (reporter) Amit Laish – GE Vernova (reporter) References: https://superset.apache.org https://www.cve.org/CVERecord?id=CVE-2023-49657 _____________________________________________________________________ Security advisory: session logout expiration *Overview*: Apache Superset utilizes Flask to handle user sessions. When users log in to Apache Superset, their browser receives a session cookie named session, and when they log out, their session is removed from their browsers. If a session cookie is leaked to a malicious actor, this session can still be used even after user logout. *Affected Versions* Apache Superset < 3.1.0 *Recommendations*: Apache Superset 3.1.0 Introduced the capability to utilize server-side sessions, this feature is disabled by default but can be enabled in the configuration by setting `SESSION_SERVER_SIDE = True` More details on: https://superset.apache.org/docs/security/#switching-to-server-side-sessions *Acknowledgments*: We would like to thank Amit Laish (GE Vernova) for responsibly reporting this vulnerability. Best Regards, Daniel Gaspar / Apache Superset PMC _____________________________________________________________________ Security advisory: default SECRET_KEY in Helm Chart *Overview*: Apache Superset Helm chart contained a known default SECRET_KEY. This SECRET_KEY should be configured to a secure unique random value by using `configOverrides.secret.SECRET_KEY` or `extraSecretEnv` if not set the default would be assumed. A SECRET_KEY is used for securely signing the session cookie and encrypting sensitive data. *Affected Versions* helm chart versions <= 0.10.15 *Recommendations*: Upgrade your helm chart to 0.11.0 or higher, or make sure you have set a unique random SECRET_KEY. Verifying your current SECRET_KEY can be done by accessing one of your Apache Superset instances and on shell execute: ``` $ echo app.config[\"SECRET_KEY\"] | flask shell ``` Best Regards, Daniel Gaspar / Apache Superset PMC ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================