Vatsvagiri kubva kuHorizon3 vakakwevera kutarisisa kumatambudziko ekuchengetedza mumizhinji yekumisikidzwa kweApache Superset data yekuongorora uye yekuona chikuva. Pa2124 kubva pa3176 maseva eruzhinji akadzidzwa neApache Superset, kushandiswa kwekiyi yakajairwa encryption yakatsanangurwa nekusarudzika mumuenzaniso faira yekumisikidza yakaonekwa. Kiyi iyi inoshandiswa muFlask Python raibhurari kugadzira chikamu Cookies, iyo inobvumira anorwisa anoziva kiyi yekugadzira manyepo emusangano paramita, batanidza kune Apache Superset web interface uye kurodha data kubva kune akabatana dhatabhesi, kana kuronga kodhi kuuraya neApache Superset kodzero. .
Sezvineiwo, vaongorori vakatanga kuzivisa vagadziri nezve dambudziko kumashure muna 2021, mushure mekuburitswa kweApache Superset 1.4.1, yakaumbwa muna Ndira 2022, kukosha kweSECRET_KEY parameter kwakatsiviwa nemutsara "CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET", cheki yakawedzerwa kune kodhi, kana izvi zvakakosha zvinoburitsa yambiro kune irogi.
Muna Kukadzi wegore rino, vaongorori vakasarudza kudzokorora scan yeasina njodzi masisitimu uye vakatarisana nenyaya yekuti vanhu vashoma vakateerera yambiro uye 67% yeApache Superset maseva vachiri kuramba vachishandisa makiyi kubva kumienzaniso yekumisikidza, deployment templates kana zvinyorwa. Panguva imwecheteyo, mamwe makambani makuru, mayunivhesiti uye masangano ehurumende aive pakati pemasangano aishandisa makiyi ekutadza.
Kutsanangudza kiyi yekushanda mumuenzaniso gadziriso yave kunzwisiswa sekusagadzikana (CVE-2023-27524), iyo yakagadziriswa mukuburitswa kweApache Superset 2.1 kuburikidza nekubuda kwechikanganiso chinovharira chikuva kutanga kana uchishandisa kiyi inotsanangurwa mukati. muenzaniso (chete kiyi inotsanangurwa mumuenzaniso kugadziridzwa kweshanduro yemazuva ano inotariswa, makiyi ekare makiyi uye makiyi kubva kumatemplate uye zvinyorwa hazvina kuvharwa). Yakakosha script yakapihwa kuti itarise kuvepo kwekusagadzikana pane network.
Source: opennet.ru