Apache Superset, a popular data visualization tool, is vulnerable to authentication bypass and remote code execution (RCE) due to an insecure default configuration.
Vulnerability Details:
- Component: Apache Superset
- CVE: CVE-2023-27524
- Issue: Predictable Flask Secret Key allows attackers to bypass auth and gain admin privileges.
Impact:
- Attackers can access unauthorized resources, steal user credentials, and execute arbitrary code.
Mitigation:
- Update SECRET_KEY config to a secure, random value.
- Review and restrict access to Superset instances.