CVE-2023-49657 in Superset
Summary
by MITRE • 01/23/2024
A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS.
For 2.X versions, users should change their config to include:
TALISMAN_CONFIG = {
"content_security_policy": {
"base-uri": ["'self'"],
"default-src": ["'self'"],
"img-src": ["'self'", "blob:", "data:"],
"worker-src": ["'self'", "blob:"],
"connect-src": [
"'self'", " https://api.mapbox.com" https://api.mapbox.com" ;, " https://events.mapbox.com" https://events.mapbox.com" ;, ], "object-src": "'none'", "style-src": [
"'self'", "'unsafe-inline'", ], "script-src": ["'self'", "'strict-dynamic'"],
}, "content_security_policy_nonce_in": ["script-src"],
"force_https": False, "session_cookie_secure": False, }
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/17/2024
The vulnerability CVE-2023-49657 represents a critical stored cross-site scripting flaw in Apache Superset versions prior to 3.0.3, which falls under the CWE-79 category of Cross-Site Scripting. This vulnerability specifically affects authenticated users who possess create or update permissions on charts or dashboards within the application. The flaw allows an attacker to inject malicious scripts or HTML snippets that persist within the application's database and execute whenever other users view the affected content. The stored nature of this vulnerability means that the malicious payload remains active even after the initial injection, making it particularly dangerous as it can affect multiple users over extended periods without requiring repeated exploitation attempts.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding mechanisms within Apache Superset's chart and dashboard creation functionalities. When users create or modify visualizations, the application fails to properly sanitize user-provided content, allowing malicious scripts to be stored in the backend database. This occurs because the application does not adequately implement Content Security Policy (CSP) directives or other sanitization measures that would prevent the execution of unauthorized scripts. The vulnerability is particularly concerning in multi-user environments where dashboard creators may have elevated privileges, as it enables attackers to craft malicious content that could compromise other users' sessions or extract sensitive information.
The operational impact of CVE-2023-49657 extends beyond simple script execution, as it can be leveraged for session hijacking, credential theft, and data exfiltration attacks. An authenticated attacker could inject scripts that steal session cookies, redirect users to malicious domains, or harvest sensitive data from the application's interface. The vulnerability aligns with ATT&CK technique T1531 for Establishing Persistence and T1566 for Phishing, as it enables attackers to maintain access through persistent malicious content and potentially compromise user credentials through session theft mechanisms. Organizations using Apache Superset versions before 3.0.3 face significant risk of unauthorized access and data breaches, particularly in environments where dashboard creators have broad permissions or where the application is used for sensitive business intelligence purposes.
The recommended mitigation strategy involves implementing the Content Security Policy configuration provided in the advisory, which addresses the core vulnerability by restricting script execution sources and enforcing strict security controls. The TALISMAN_CONFIG settings establish a robust CSP framework that limits the sources from which scripts can be loaded, prevents inline script execution, and restricts other potentially dangerous content types. The configuration specifically disables unsafe-inline styles, restricts connect-src to known safe endpoints, and implements strict-dynamic script loading to prevent unauthorized script execution. Additionally, organizations should implement proper user access controls, regularly audit dashboard permissions, and ensure all users have appropriate least-privilege access. The upgrade to Apache Superset 3.0.3 or later versions represents the most effective long-term solution, as it includes built-in protections against this vulnerability and other security enhancements that address similar weaknesses in the application's architecture.