CVE-2023-25504 - Apache Superset Import Dataset Vulnerability Allowing SSRF Attacks by Authenticated Attackers

A newly discovered vulnerability (CVE-2023-25504) in Apache Superset enables an attacker to conduct Server-Side Request Forgery (SSRF) attacks once they have been authenticated and provided specific privileges. This vulnerability is known to exist in Apache Superset versions up to and including 2..1. In this article, we will discuss the details of the vulnerability, provide a code snippet illustrating the issue, and include links to original references.

Description of Vulnerability

Apache Superset is an open-source data exploration and visualization web application that comes with an extensive set of visualizations, a highly customizable interface, and built-in support for several SQL engines. In the context of this vulnerability, a malicious actor who has been authenticated and granted the required permissions may misuse the import dataset feature to carry out SSRF attacks.

By using the import dataset functionality, an attacker can craft a malicious file and query internal resources acting on behalf of the server where Superset is deployed. This vulnerability may lead to unauthorized access to sensitive data, internal network scanning, and internal asset exploitation.

Code Snippet

The vulnerability exists in the import_datasource() function that accepts a URL in the request, which is utilized to import a file for usage in the dataset. A snippet of the vulnerable code is shown below:

def import_datasource() -> None:
    params = request.files.get("datasource_spec", "")
    if isinstance(params, str):
        filename = "datasource_spec.json"
        content = params.encode()
    elif hasattr(params, "filename"):
        filename = params.filename
        content = params.stream.read()

The attacker must be granted specific permissions to import dataset functionality.

Once the conditions are met, the attacker can craft a malicious file with an SSRF payload in the form of a URL. Upon\nimporting this file using the import dataset feature, the server running Superset will execute the SSRF payload using its privileges. The attacker can then use this SSRF attack to query internal resources and potentially gain unauthorized access to sensitive information.

Mitigation

At the time of writing, there are no official patches available for correcting this vulnerability. However, as a temporary solution, administrators can apply strict access control policies to limit the number of users who can import datasets. Additionally, monitoring inbound and outbound traffic can help detect any potential SSRF attacks stemming from this vulnerability.

Original References

1. Apache Superset Official Website: https://superset.apache.org/
2. CVE-2023-25504 - NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2023-25504
3. Apache Superset GitHub Repository (source code): https://github.com/apache/superset

Conclusion

This article has discussed CVE-2023-25504, a vulnerability in Apache Superset that allows authenticated users with specific permissions to conduct SSRF attacks using the import dataset feature. It is crucial to monitor incoming updates and apply any patches once they are available to mitigate the risk associated with this vulnerability. Furthermore, implementing strict access control policies and closely monitoring network traffic can help prevent unauthorized exploitation of this vulnerability.

Timeline

Published on: 04/17/2023 17:15:00 UTC
Last modified on: 04/27/2023 14:08:00 UTC