CVE-2023-36387 - An In-Depth Analysis of an Improper Default REST API Permission for Gamma Users in Apache Superset (Up to and Including 2.1.) That Allows Testing Database Connections

Abstract: Apache Superset is a popular open-source data exploration and visualization platform. Improper default REST API permissions for Gamma users can lead to a significant security vulnerability, potentially allowing unauthorized users to test database connections. In this post, we'll dive deep into this issue (CVE-2023-36387), exploring its technical details, exploring the associated code snippets, and discussing the exploit process.

Background

The official documentation for Apache Superset can be found here: Apache Superset

Apache Superset is a data exploration and visualization platform designed to empower users with the ability to craft compelling data narratives. It integrates with various databases to power a wealth of data-driven applications, including interactive dashboards, analysis notebooks, and custom applications.

The Issue (CVE-2023-36387)

Improper REST API permission settings for Gamma users are the root cause of the issue. Gammas are a type of user role with limited permissions, but due to a security oversight, they were granted the permission to test database connections. This creates a potential attack vector for an authenticated Gamma user to access the testing of the database connections and retrieve sensitive information.

Details

The Apache Superset version 2.1. and earlier contains an improper default REST API permission for Gamma users. This issue happens due to insufficient permission settings in the system.

The code snippet showcase this

class SecurityManager(SupersetSecurityManager):
    def get_rbac_resources(self):
        return [
            (
                "database",
                "Database",
                [
                    "can_create",
                    "can_read",
                    "can_update",
                    "can_delete",
                    "can_test_connection",  # <= Gamma user should not have this!
                ],
            ),
            ...
        ]

As seen in the code snippet above, can_test_connection permission is provided to all user groups, including Gamma users.

For more technical details, you can refer to the original CVE record: CVE-2023-36387

Exploit

To exploit this vulnerability, an attacker would need to be an authenticated Gamma user. With this access, the attacker may proceed as follows:

`

POST /api/v1/database/test_connection

`

2. Include a valid JSON payload for the API call, specifying a target database connection. For instance, a JSON payload example:

`json

{
"sqlalchemy_uri": "mysql://user:password@host:port/dbname"
}

`

3. If the database connection is successful, the response will contain a confirmation message, potentially exposing sensitive information in the form of connection strings, IP addresses, and port numbers.

Mitigation

It is highly recommended to update your Apache Superset installation to the latest version. The latest version of Apache Superset comes with improved permission settings, preventing Gamma users from exploiting this vulnerability.

Conclusion

In summary, CVE-2023-36387 is an improper default REST API permission vulnerability in Apache Superset up to and including version 2.1.. This issue allows authenticated Gamma users to test database connections. It is essential to keep your Apache Superset installation up-to-date to minimize the risk of security vulnerabilities.

Stay safe, and watch out for potential threats like this one. Remember, knowledge is power!

Timeline

Published on: 09/06/2023 13:15:00 UTC
Last modified on: 10/19/2023 18:47:00 UTC