CVE-2021-41192

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-41192

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41192.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-41192

Aliases

BIT-redash-2021-41192
GHSA-g8xr-f424-h2rv

Published

2021-11-24T16:15:14Z

Modified

2024-10-12T08:27:45.133910Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Redash is a package for data visualization and sharing. If an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the REDASH_COOKIE_SECRET or REDASH_SECRET_KEY environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value. This issue only affects installations where the REDASH_COOKIE_SECRET or REDASH_SECRET_KEY environment variables have not been explicitly set. This issue does not affect users of the official Redash cloud images, Redash's Digital Ocean marketplace droplets, or the scripts in the getredash/setup repository. These instances automatically generate unique secret keys during installation. One can verify whether one's instance is affected by checking the value of the REDASH_COOKIE_SECRET environment variable. If it is c292a0a3aa32397cdb050e233733900f, should follow the steps to secure the instance, outlined in the GitHub Security Advisory.

References

Affected packages

Git / github.com/getredash/redash

Affected ranges

Type: GIT
Repo: https://github.com/getredash/redash
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ce60d20c4e3d1537581f2f70f1308fe77ab6a214

Affected versions

0.*

0.7.0

v0.*

v0.1.29

v0.1.30

v0.1.31

v0.1.32

v0.1.35

v0.1.45

v0.10.0.b1774

v0.11.0-rc

v0.11.0.b2016

v0.12.0.b2449

v0.2.58

v0.2.60

v0.2.62

v0.2.64

v0.2.70

v0.3.1+b85

v0.3.1+b91

v0.3.1+b93

v0.3.1+b96

v0.3.1+b98

v0.3.2+b101

v0.3.2+b105

v0.3.2+b106

v0.3.2+b108

v0.3.2+b111

v0.3.2+b113

v0.3.2+b115

v0.3.2+b122

v0.3.2+b124

v0.3.2+b126

v0.3.2+b130

v0.3.2+b131

v0.3.2+b132

v0.3.2+b134

v0.3.2+b137

v0.3.2+b138

v0.3.3+b139

v0.3.3+b149

v0.3.3+b152

v0.3.3+b154

v0.3.3+b155

v0.3.5+b158

v0.3.5+b161

v0.3.5+b162

v0.3.5+b169

v0.3.5+b170

v0.3.5+b173

v0.3.5+b175

v0.3.5+b185

v0.3.5+b186

v0.3.5+b201

v0.3.5+b207

v0.3.5+b210

v0.3.5+b212

v0.3.5+b217

v0.3.5+b219

v0.3.5+b222

v0.3.5+b223

v0.3.5+b227

v0.3.5+b232

v0.3.5+b235

v0.3.5+b237

v0.3.5+b238

v0.3.5+b250

v0.3.5+b264

v0.3.5+b271

v0.3.5+b279

v0.3.5+b281

v0.3.5+b287

v0.3.5+b293

v0.3.5+b299

v0.3.5+b304

v0.3.5+b306

v0.3.5+b311

v0.3.5+b314

v0.3.5+b316

v0.3.5+b317

v0.3.5+b320

v0.3.6+b322

v0.3.6+b327

v0.3.6+b328

v0.3.6+b330

v0.3.6+b332

v0.3.6+b334

v0.3.6+b336

v0.3.6+b339

v0.3.6+b341

v0.3.6+b343

v0.3.6+b346

v0.3.6+b349

v0.3.6+b352

v0.3.6+b354

v0.3.6+b359+b359

v0.3.6+b365

v0.3.6+b368

v0.3.6+b370

v0.3.6+b372

v0.3.6+b374

v0.3.6+b376

v0.3.6+b378

v0.3.6+b379

v0.3.7+b386

v0.3.7+b388

v0.4.0+b395

v0.4.0+b397

v0.4.0+b399

v0.4.0+b401

v0.4.0+b405

v0.4.0+b409

v0.4.0+b415

v0.4.0+b416

v0.4.0+b418

v0.4.0+b420

v0.4.0+b421

v0.4.0+b422

v0.4.0+b423

v0.4.0+b424

v0.4.0+b425

v0.4.0+b426

v0.4.0+b427

v0.4.0+b429

v0.4.0+b431

v0.4.0+b433

v0.4.0+b435

v0.4.0+b436

v0.4.0+b437

v0.4.0+b438

v0.4.0+b440

v0.4.0+b442

v0.4.0+b444

v0.4.0+b445

v0.4.0+b447

v0.4.0+b449

v0.4.0+b453

v0.4.0+b480

v0.4.0+b484

v0.4.0+b489

v0.4.0+b491

v0.4.0+b493

v0.4.0+b498

v0.4.0+b500

v0.4.0+b507

v0.4.0+b508

v0.4.0+b510

v0.4.0+b513

v0.4.0+b514

v0.4.0+b518

v0.4.0+b521

v0.4.0+b522

v0.4.0+b525

v0.4.0+b528

v0.4.0+b531

v0.4.0+b532

v0.4.0+b534

v0.4.0+b536

v0.4.0+b537

v0.4.0+b538

v0.4.0+b542

v0.4.0+b544

v0.4.0+b546

v0.4.0+b549

v0.4.0+b552

v0.4.0+b554

v0.4.0+b555

v0.4.0+b556

v0.4.0+b559

v0.4.0+b560

v0.4.0+b562

v0.4.0+b563

v0.4.0+b564

v0.4.0+b567

v0.4.0+b568

v0.4.0+b573

v0.4.0+b581

v0.4.0+b582

v0.4.0+b585

v0.4.0+b587

v0.4.0+b588

v0.4.0+b589

v0.4.0+b591

v0.4.0+b595

v0.4.0+b602

v0.4.0+b604

v0.4.0+b606

v0.4.0+b608

v0.4.0+b614

v0.4.0+b618

v0.4.0+b620

v0.4.0+b622

v0.4.0+b623

v0.4.0+b627

v0.4.0+b628

v0.4.0+b629

v0.4.0+b630

v0.4.0+b632

v0.4.0+b634

v0.4.0+b636

v0.4.0+b640

v0.4.0+b641

v0.5.0+b648

v0.5.0+b650

v0.5.0+b652

v0.5.0+b654

v0.5.0+b655

v0.5.0+b656

v0.5.0+b661

v0.5.0+b664

v0.5.0+b666

v0.5.0+b670

v0.5.0+b674

v0.5.0+b676

v0.5.0+b678

v0.5.0+b679

v0.5.0+b680

v0.5.0+b681

v0.5.0+b683

v0.5.0+b685

v0.5.0+b689

v0.5.0+b690

v0.5.0+b696

v0.6.0+b703

v0.6.0+b705

v0.6.0+b707

v0.6.0+b709

v0.6.0+b710

v0.6.0+b711

v0.6.0+b714

v0.6.0+b716

v0.6.0+b718

v0.6.0+b720

v0.6.0+b722

v0.6.0+b723

v0.6.0+b727

v0.6.0+b729

v0.6.0+b731

v0.6.0+b733

v0.6.0+b735

v0.6.0+b737

v0.6.0+b746

v0.6.0+b748

v0.6.0+b759

v0.6.0+b760

v0.6.0+b762

v0.6.0+b767

v0.6.0.b812

v0.6.1-rc

v0.6.1.b885

v0.6.2-rc

v0.6.2.b887

v0.6.3-rc

v0.6.3.b906

v0.6.4-rc

v0.7.0-rc

v0.7.1-rc

v0.7.1.b1015

v0.8.0-rc

v0.8.0.b1058

v0.8.1-rc

v0.8.1.b1110

v0.8.2-rc

v0.8.2.b1181

v0.8.3-rc

v0.8.3.b1192

v0.9.0-rc

v0.9.0.b1363

v0.9.1-rc

v0.9.1.b1377

v0.9.2-rc

v0.9.2.b1536

v1.*

v1.0.0-rc.1

v1.0.0-rc.2

v1.0.1

v1.0.2

v1.0.3

v2.*

v2.0.0

v3.*

v3.0.0

v4.*

v4.0.0

v4.0.0-beta

v4.0.0-rc.1

v4.0.1

v5.*

v5.0.0

v5.0.0-beta

v6.*

v6.0.0-beta