Skip to content

CVE-2023-27524

Insecure Default Initialization — is CVE-2023-27524real, exploitable, or a false positive? Here's the community ground truth.

☆ Watch
High · CVSS 8.9EPSS 97.4%CISA KEVCWE-1188 · Insecure Default Initialization

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.

References

NVD MITRE CVE.org CISA KEV

Published

Embed this verdict
TruePositive verdict for CVE-2023-27524
Markdown
[![TruePositive verdict](https://www.truepositive.app/cve/CVE-2023-27524/badge.svg)](https://www.truepositive.app/cve/CVE-2023-27524)
HTML
<a href="https://www.truepositive.app/cve/CVE-2023-27524"><img src="https://www.truepositive.app/cve/CVE-2023-27524/badge.svg" alt="TruePositive verdict for CVE-2023-27524"></a>

Live badge — updates automatically as the community verdict changes.

Community ground truth

Community verdict

2 verdicts
Not a real issue

to add your verdict.

Community real-world severity: High (High 2) — CVSS base score 8.9

In line with its CVSS base score.

Field notes & remediation

Verdicts are the quick signal — notes are the evidence and fixes behind them.

No notes yet — be the first to share what you saw or a fix that worked.

    Related CVEs

    Same weaknessCWE-1188 · Insecure Default Initialization.