Cilmi-baarayaasha Horizon3 waxay ku ogaadeen arrimaha amniga inta badan rakibaadda falanqaynta xogta Apache Superset iyo madal muuqaal. Markay ahayd 2124 ka mid ah 3176 Apache Superset server-yada dadweynaha ee la bartay, isticmaalka furaha sirta guud ee lagu qeexay sida caadiga ah faylka qaabeynta muunada ayaa la ogaaday. Furahan waxa loo isticmaalaa maktabadda Flask Python si loo soo saaro cookies-ka fadhiga, taas oo u oggolaanaysa weeraryahan yaqaan furaha inuu soo saaro cabbirrada fadhiga khiyaaliga ah, ku xidho interface-ka shabakadda Apache Superset oo ka soo xareeyo xogta kaydka xidhan, ama abaabulo fulinta kood ee xuquuqda Apache Superset .
Waxa xiisaha lihi leh, cilmi-baarayaashu waxay markii hore u sheegeen horumariyeyaasha dhibaatada soo laabatay 2021, ka dib, markii la sii daayay Apache Superset 1.4.1, oo la sameeyay Janaayo 2022, qiimaha SECRET_KEY parameter waxaa lagu beddelay xargaha "CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET", jeeg. waxaa lagu daray koodka, haddii tani ay qiimeyso soo saarista digniinta log.
Bishii Febraayo ee sanadkan, cilmi-baarayaashu waxay go'aansadeen in ay dib u baaraan nidaamyada nugul waxayna ogaadeen in dad yar ay fiiro gaar ah u yeeshaan digniinta iyo 67% ee server-yada Apache Superset ay wali sii wadaan isticmaalka furayaasha tusaalooyinka qaabeynta, qaababka geynta ama dukumentiyada. Isla mar ahaantaana, qaar ka mid ah shirkadaha waaweyn, jaamacadaha iyo hay'adaha dawladda ayaa ka mid ahaa hay'adaha isticmaala furayaasha caadiga ah.
Qeexida furaha shaqada ee qaabeynta muunada hadda waxaa loo arkaa nuglaanta (CVE-2023-27524), kaas oo ku go'an sii deynta Apache Superset 2.1 iyada oo loo marayo soo saarista qalad xannibaya soo saarista goobta marka la isticmaalayo furaha la cayimay. tusaale ahaan (kaliya furaha lagu qeexay tusaalaha qaabeynta ee nooca hadda jira ayaa lagu xisaabtamayaa, furayaasha nooca hore iyo furayaasha qaab-dhismeedka iyo dukumentiyada lama xannibo). Qoraal gaar ah ayaa la soo jeediyay si loo hubiyo nuglaanta shabakada
Source: opennet.ru