CVE-2021-41192
Insecure default configuration
In short
Redash versions 10.0.0 and earlier use a hardcoded default secret key if administrators don't manually set unique environment variables. This allows attackers to forge user sessions and gain unauthorized access to the application.
Technical detail
The vulnerability exists in Redash ≤10.0.0 when REDASH_COOKIE_SECRET or REDASH_SECRET_KEY environment variables are not explicitly configured, causing the application to use a publicly known default value (c292a0a3aa32397cdb050e233733900f). An attacker with knowledge of this default can forge valid session tokens to impersonate users, including administrators, without authentication. Affected installations are those with manual deployment; cloud and marketplace instances are unaffected due to automatic key generation during setup.
Summary generated and translated by AI from the official description.
Redash is a package for data visualization and sharing. If an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value. This issue only affects installations where the `REDASH_COOKIE_SECRET or REDASH_SECRET_KEY` environment variables have not been explicitly set. This issue does not affect users of the official Redash cloud images, Redash's Digital Ocean marketplace droplets, or the scripts in the `getredash/setup` repository. These instances automatically generate unique secret keys during installation. One can verify whether one's instance is affected by checking the value of the `REDASH_COOKIE_SECRET` environment variable. If it is `c292a0a3aa32397cdb050e233733900f`, should follow the steps to secure the instance, outlined in the GitHub Security Advisory.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N