CVE-2024-25128: Vulnerability in custom, long deprecated OpenID (NOT OIDC) authentication method in Flask AppBuilder
Severity: moderate Affected versions: - Apache Airflow before 2.8.2 Description: When Flask-AppBuilder configuration is set to ``AUTH_TYPE`` set to ``AUTH_OID``, it allows an attacker to forge an HTTP request that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. For more details and remediation, see the blog post here: https://airflow.apache.org/blog/fab-oid-vulnerability/ Credit: Islam Rzayev (finder) References: https://airflow.apache.org/ https://github.com/dpgaspar/Flask-AppBuilder/pull/2186 https://airflow.apache.org/blog/fab-oid-vulnerability/ https://www.cve.org/CVERecord?id=CVE-2024-25128