Ofufuza a ku Horizon3 awona zovuta zachitetezo pazoyika zambiri za Apache Superset kusanthula kwa data ndi nsanja yowonera. Pa 2124 mwa 3176 Apache Superset ma seva aboma omwe adaphunziridwa, kugwiritsa ntchito kiyi yachinsinsi yachinsinsi yomwe yatchulidwa mwachisawawa mufayilo yosinthira yachitsanzo idapezeka. Kiyiyi imagwiritsidwa ntchito mulaibulale ya Flask Python kupanga ma cookie a gawo, omwe amalola wowukira yemwe amadziwa chinsinsi kuti apange magawo azopeka, kulumikizana ndi mawonekedwe apaintaneti a Apache Superset ndikuyika zidziwitso kuchokera pazosungidwa zomangidwa, kapena kukonza ma code ndi maufulu a Apache Superset. .
Chochititsa chidwi n'chakuti, ofufuzawo adalengeza za vutoli kwa opanga kale mu 2021, pambuyo pake, pakutulutsidwa kwa Apache Superset 1.4.1, yomwe inapangidwa mu Januware 2022, mtengo wa SECRET_KEY parameter udasinthidwa ndi chingwe "CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET", cheke zowonjezeredwa ku code, ngati izi zikupereka chenjezo pa chipikacho.
Mu February chaka chino, ofufuza adaganiza zosiyanso machitidwe omwe ali pachiwopsezo ndipo adapeza kuti ndi anthu ochepa omwe amamvera chenjezo ndipo 67% ya ma seva a Apache Superset akupitirizabe kugwiritsa ntchito makiyi kuchokera ku zitsanzo zokonzekera, ma templates otumizira kapena zolemba. Nthawi yomweyo, makampani ena akuluakulu, mayunivesite ndi mabungwe aboma anali m'gulu la mabungwe omwe amagwiritsa ntchito makiyi osasintha.
Kutchula kiyi yogwira ntchito pamasinthidwe achitsanzo tsopano akuwoneka ngati pachiwopsezo (CVE-2023-27524), yomwe imakhazikika pakutulutsidwa kwa Apache Superset 2.1 kudzera pakutulutsa kwa cholakwika chomwe chimalepheretsa kukhazikitsidwa kwa nsanja mukamagwiritsa ntchito kiyi yomwe yatchulidwa. mu chitsanzo (kiyi yokhayo yotchulidwa mu chitsanzo cha kasinthidwe kameneka kakuganiziridwa, makiyi amtundu wakale ndi makiyi a ma templates ndi zolemba sizinatsekedwe). Script yapadera yaperekedwa kuti iwonetsetse kusatetezeka pamanetiweki.
Source: opennet.ru