gxx777 opened a new issue, #35126: URL: https://github.com/apache/airflow/issues/35126
### Apache Airflow version 2.7.2 ### What happened Hi, In the project's code, there is a critical security flaw in JWT (JSON Web Token) validation. Attackers can exploit this vulnerability to forge valid JWTs and bypass access controls. Specifically, the code uses verify=False to disable JWT validation, allowing attackers to access protected resources by forging JWTs location: https://github.com/apache/airflow/blob/main/airflow/providers/plexus/hooks/plexus.py#L62 ### What you think should happen instead JSON Web Tokens (JWT) are widely used for authentication and authorization in many applications. However, in the project's code, there is a serious security issue where JWT validation is not enabled and instead, the verify=False parameter is used. This means that JWT signature verification is bypassed, enabling attackers to forge valid JWT tokens and gain access to protected resources, posing a significant security threat. ### How to reproduce Obtaining a JWT from the token_endpoint and using the decode function with verify = False during acceptance can lead to a significant security issue. When verify is set to False, the JWT's digital signature is not verified. This means that the JWT can be tampered with or forged without detection, potentially allowing unauthorized access to protected resources or services. This poses a serious security threat, as the integrity and authenticity of the JWT cannot be guaranteed, and malicious actors could exploit this vulnerability to gain unauthorized access to sensitive data or functionalities. It is essential to ensure proper JWT validation and verification to prevent such security risks. ### Operating System macOS 13.4.1 ### Versions of Apache Airflow Providers _No response_ ### Deployment Other ### Deployment details _No response_ ### Anything else _No response_ ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
