=====================================================================

                                 CERT-Renater

                       Note d'Information No. 2024/VULN126
_____________________________________________________________________

DATE                : 15/03/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow versions prior
                                          to 2.8.2.

=====================================================================
https://lists.apache.org/thread/z2gzkzdwy98rcd7wttlsccdcrd7pfj8p
_____________________________________________________________________

CVE-2024-25128: Vulnerability in custom, long deprecated OpenID (NOT
OIDC) authentication method in Flask AppBuilder

Severity: moderate

Affected versions:
- Apache Airflow before 2.8.2

Description:

When Flask-AppBuilder configuration is set to ``AUTH_TYPE`` set to
``AUTH_OID``, it allows an attacker to forge an HTTP request that
could deceive the backend into using any requested OpenID service.

This vulnerability could grant an attacker unauthorised privilege
access if a custom OpenID service is deployed by the attacker and
accessible by the backend.

For more details and remediation, see the blog post here:
https://airflow.apache.org/blog/fab-oid-vulnerability/

Credit:
Islam Rzayev (finder)

References:

https://airflow.apache.org/
https://github.com/dpgaspar/Flask-AppBuilder/pull/2186
https://airflow.apache.org/blog/fab-oid-vulnerability/
https://www.cve.org/CVERecord?id=CVE-2024-25128


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================