CVE CyberSecurity Database News

CVE-2023-39264 - Apache Superset Stack Trace Exposure in REST API (Up to 2.1.) – Exploit Details and Security Insights

Poster -

Date: June 2024

Author: [Exclusive Post for Your Eyes Only]

Apache Superset is one of the most popular open-source data exploration and visualization platforms in the world. It is widely used by organizations of all sizes. But if you’re running Superset version 2.1. or older, you should be aware of a critical vulnerability – CVE-2023-39264.

This long read explains what happened, why it’s a problem, and how attackers could use it. We'll also see some exclusive code snippets and original references to help you secure your instance.

What is CVE-2023-39264?

CVE-2023-39264 is a vulnerability that exists in Apache Superset through version 2.1.. By default, Superset was configured to include detailed stack traces in error responses returned from its REST API. This means that whenever an unexpected error happened (like entering invalid input), the complete stack trace—including file names, line numbers, code paths and sometimes sensitive environment variables—could be sent back to the client that made the request.

In simple words: If an app shows you its detailed internal error messages, you might learn things you’re not supposed to know.

Why is Exposing Stack Traces Dangerous?

- Info Disclosure: Stack traces can leak sensitive information like file structures, library versions, backend frameworks, and sometimes secret variables or credentials.
- Recon for Attackers: Hackers use this info to plan their attack, find unpatched libraries, or detect weak spots in your custom code.
- Easier Exploitation: With full error information, even a casual attacker gets clues about bypasses, inputs to try, or what payloads could work.

Show Me the Stack Trace (Sample Output)

Let’s look at a simplified sample error. If you hit an endpoint with bad input, you might see something like this returned:

{
  "message": "Internal Server Error",
  "error_type": "DatabaseError",
  "stacktrace": [
    "File \"/app/superset/views/core.py\", line 541, in dashboard",
    "  dashboard = self.get_object(dash_id)",
    "File \"/app/superset/views/core.py\", line 387, in get_object",
    "  obj = self.datamodel.get(pk)",
    "File \"/app/superset/models/core.py\", line 254, in get",
    "  return self.session.query(self.model).get(pk)",
    "sqlalchemy.exc.DataError: (psycopg2.DataError) invalid input for integer"
  ]
}

Notice how much you can learn: file names, line numbers, backend (SQLAlchemy, psycopg2), and even hints about the database and structure.

How to Exploit CVE-2023-39264 (Step-by-Step)

Disclaimer: This information is for educational and defensive purposes only!

Find a REST API Endpoint:

Example: /api/v1/dashboard/999999

`sh

curl -i -X GET "https://superset.yourcompany.com/api/v1/dashboard/invalid_id"

`json

{

"stacktrace": [...massive_trace...]

}

Below is a sample Python script that automates looking for exposed stack traces in Superset APIs

import requests

target = 'https://superset.yourcompany.com/api/v1/dashboard/invalid_id'
headers = {'Accept': 'application/json'}

response = requests.get(target, headers=headers)

if 'stacktrace' in response.text:
    print('Vulnerable! Stack trace exposed.')
    print(response.json()['stacktrace'])
else:
    print('Safe. No stack trace exposed.')

*Yes* if you’re running 2.1. or older and haven’t changed the default error handling.

- *No* if you’ve upgraded to a newer version where stack trace exposure has been disabled by default.

Upgrade to the Latest Version:

Always upgrade Superset as soon as a new release is available. Download latest releases here.

"SHOW_STACKTRACES": False,

}

`

*(Consult the official documentation for options specific to your Superset version).*

CVE Details and Official References

- NVD: CVE-2023-39264
- Apache Superset Security Advisories
- Fix Commit in Superset repo

Bottom Line

CVE-2023-39264 is a classic example of how a simple configuration choice can expose your application’s deepest secrets to the world—with one bad request. Take it seriously, upgrade ASAP, and always test your public APIs for these exposures!

Timeline

Published on: 09/06/2023 13:15:00 UTC
Last modified on: 09/11/2023 14:28:00 UTC