Apache Superset 漏洞列表

Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Users should upgrade to Apache Superset 1.4.0 or higher. Fofa: app="APACHE-Superset"

Apache Superset会话验证漏洞，是由于未根据安装说明更改默认配置的SECRET_KEY，允许攻击者验证和访问未经授权的资源。Superset登陆成功页面跳转到/superset/welcome/，抓包更改session值即可成功绕过身份验证进入后台。 若失败则提示："Missing Authorization Header"，若响应包为："Not found"，不代表失败，直接携带session值访问/superset/welcome/即可成功进入后台； FOFA: app="APACHE-Superset"

An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions- version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection. shodan-query: - http.favicon.hash:"1582430156" - http.html:"apache superset" fofa-query: - body="apache superset" - icon_hash=1582430156

Apache Superset through 1.3.2 contains a default login vulnerability via registered database connections for authenticated users. An attacker can obtain access to user accounts and thereby obtain sensitive information, modify data, and/or execute unauthorized operations.

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.

An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions- version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection.

Apache Superset中存在开放重定向漏洞，此漏洞是由于对用户的输入验证不正确造成的。

Apache Superset 是一个开源的现代数据探索和可视化平台。Apache Superset Cookie 存在权限绕过漏洞，攻击者可通过该漏洞控制整个系统，最终导致系统处于极度不安全状态。

Apache Superset 是一个开源的数据可视化工具，metadata 数据库用于存储 Superset 元数据(如配置信息)。Python 的 pickle 包用于序列化和反序列化 Python 对象。

Apache Superset 是美国阿帕奇（Apache）基金会的一个数据可视化和数据探索平台。Apache Superset 2.0.1 版本及之前版本存在安全漏洞。攻击者利用该漏洞验证和访问未经授权的资源。

ApacheSuperset是一款由Python语言为主开发的开源时髦数据探索分析以及可视化的报表平台；她支持丰富的数据源，且拥有多姿多彩的可视化图表选择。该平台存在默认口令，攻击者可登入平台获取大量敏感信息。