9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
7.4 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%
When OpenID(2.0) is in use as Authentication Type, it is possible for an attacker to forge authentication to any existing account in the Target Airflow installation. This was possible via deceiving the backend of app to trust arbitrary OpenID 2.0 Identity Provider(even if the provider is not in the trusted IDP list in config). In conclusion, an attacker could deploy their own IDP and could alter the target appās authentication fully and gain unauthorized access.
The Impact is Critical
but as OpenID(2.0) is a legacy mechanism, the severity was lowered to Medium
on the basis of low usage probability.
Airflow uses Flask-AppBuilder as basic authenication and authorization manager under the hood. It is possible to configure the service in the Airflow config file for desired Authentication option. The Options for using OpenID 2.0 as auth type is as following:
AUTH_TYPE = AUTH_OID
should be defined{F3097175}
As it is seen from the attachment, there is a predefined list of allowed IDPs, normally the backend should have checked for provided values(idp urls) from client with the allowed idp list in backend, but didnāt.
When OpenID(2.0) is enabled, the login page of Airflow looks like this:
{F3097214}
Selecting a provider from list and clicking Sign In
button triggers a request like this:
{F3097199}
The one body parameter of this POST
request to /login/
page, openid
is used to define IDP provider Url. An attacker could change this url to their malicious IDP and can make a fake
authentication and deceive the backend to trust it(as the allowed providers
check wasnāt properly done).
For a quick Proof of Concept demonstration, āhttps://openstackid.orgā idp can be used:
{F3097206}
After successful auth with provider, the attacker will be redirected to Airflow and logged in as target existing user account:
{F3097209}
Leading to Full Account Hijacking
The Project Advisory:
https://lists.apache.org/thread/kf5kyfl6626kmp1wlxm6h0gk7vobny0y
The Github Advisory:
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqj
Screenshot of email from the Team for Acknowledgement:
āāāā
Extra screenshot, from a part of report email:
āāāāāāāāāā
Full Authentication Bypass via deceiving the backend server to trust arbitrary OpenID(2.0) IDPs.
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
7.4 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%