Impact

Redash is currently using a version of PySAML2 with a vulnerability that could allow for privilege escalation if SAML authentication is enabled. If you do not use SAML authentication, you are not affected.

Patches

Upgrade PySAML2 to version 6.5.0. Alternatively, you can disable SAML authentication in your deployment.

We plan to release a version of Redash that is not affected by this vulnerability in the future. In the meantime, see the "Workarounds" section below for instructions on how to address this issue.

Workarounds

If you're not using a Docker-based deployment, you need to update PySAML2 to version 6.5.0.

If you're deploying with Docker, you need to create a custom image. This guide is for Docker Compose, but can be adapted for other types of deployments.

1. Check your docker-compose.yml file to determine the Docker image version you're using. In this example it's redash/redash:10.1.0.b50633. If you're using the standard deployment, it will be in the x-redash-service section of your docker-compose.yml file.
2. Create a new Dockerfile file (place it in the same folder as the docker-compose.yml file):

FROM redash/redash:10.1.0.b50633

RUN pip install --upgrade pysaml2==6.5.0

3. Update the docker-compose.yml file to use your new image:

version: "2"
x-redash-service: &redash-service
-  image: redash/redash:10.1.0.b50633
+  build:
+   context: .
+   dockerfile: Dockerfile
  depends_on:
    - postgres
    - redis
  env_file: /opt/redash/env
  restart: always

4. Rebuild and restart by running docker-compose up -d.

To ensure that all existing sessions are invalidated, you'll need to update your REDASH_COOKIE_SECRET value to reset all existing sessions:

1. Edit /opt/redash/env (or any other method you use to pass environment variables to your deployment).
2. Update the value of REDASH_COOKIE_SECRET to a new random value.
3. Run docker-compose up -d again to restart everything and pick up this new value.

References

PySAML2 advisory