CVE-2021-41192 : Vulnerability Insights and Analysis
Learn about CVE-2021-41192 affecting Redash versions 10.0.0 and earlier. Explore the impact, technical details, and steps to prevent session forging by attackers.
Redash is a package for data visualization and sharing. An insecure default configuration in Redash versions 10.0.0 and prior may lead to session forging by attackers.
Understanding CVE-2021-41192
Redash's vulnerability allows attackers to exploit the default secret key to compromise user sessions.
What is CVE-2021-41192?
Redash versions 10.0.0 and earlier use a default secret key, leaving instances vulnerable to session hijacking if environment variables are not explicitly set.
The Impact of CVE-2021-41192
- CVSS Score: 8.1 (High)
- Severity: High
- Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- CWE ID: CWE-1188
Technical Details of CVE-2021-41192
Redash's vulnerability exposes affected systems to security risks due to insecure default initialization of resources.
Vulnerability Description
Admins not explicitly setting
REDASH_COOKIE_SECRETREDASH_SECRET_KEYAffected Systems and Versions
- Product: Redash
- Vendor: Getredash
- Versions Affected: <= 10.0.0
Exploitation Mechanism
Attackers exploit the default secret key in Redash versions 10.0.0 and earlier to forge user sessions.
Mitigation and Prevention
To secure Redash instances, follow these steps:
Immediate Steps to Take
- Set unique values for
REDASH_COOKIE_SECRETREDASH_SECRET_KEY- Verify and update environment variables
Long-Term Security Practices
- Implement secure secret key management practices
- Regularly review and update security configurations
Patching and Updates
- Update Redash to versions beyond 10.0.0 to fix the vulnerability.