module
Apache Superset Signed Cookie RCE
| Disclosed |
|---|
| Sep 6, 2023 |
Disclosed
Sep 6, 2023
Description
Apache Superset versions These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that
of an administrator, and re-sign the cookie. This valid cookie can then be used to login as the targeted user. From there the
Superset database is mounted, and credentials are pulled. A dashboard is then created. Lastly a pickled python payload can be
set for that dashboard within Superset's database which will trigger the RCE.
An attempt to clean up ALL of the dashboard key values and reset them to their previous values happens during the cleanup phase.
of an administrator, and re-sign the cookie. This valid cookie can then be used to login as the targeted user. From there the
Superset database is mounted, and credentials are pulled. A dashboard is then created. Lastly a pickled python payload can be
set for that dashboard within Superset's database which will trigger the RCE.
An attempt to clean up ALL of the dashboard key values and reset them to their previous values happens during the cleanup phase.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.