BIT-airflow-2022-45402
Open Redirect vulnerability in apache-airflow (PyPI)
What is BIT-airflow-2022-45402 About?
This open redirect vulnerability in Apache Airflow's `/login` endpoint allows attackers to redirect users to arbitrary external websites. By manipulating the `/login` URL, attackers can craft phishing links, potentially leading to credential theft or malware infection. Exploitation is typically easy, requiring minimal technical skill to create the malicious URL.
Affected Software
Technical Details
The vulnerability in Apache Airflow versions prior to 2.4.3 is located within the /login endpoint of the webserver. This endpoint accepts a parameter (e.g., 'next' or 'redirect_to') which specifies where the user should be redirected after a successful login. The flaw occurs because the application does not properly validate or sanitize the value of this redirection parameter. An attacker can supply an arbitrary external URL in this parameter. When a user accesses the crafted /login URL and subsequently logs in (or is already logged in), the application redirects them to the attacker-controlled external site instead of a legitimate Airflow page. This allows for phishing attacks or tricking users into visiting malicious sites.
What is the Impact of BIT-airflow-2022-45402?
Successful exploitation may allow attackers to conduct phishing attacks, deceive users into visiting malicious websites, steal credentials, or perform drive-by downloads of malware.
What is the Exploitability of BIT-airflow-2022-45402?
Exploitation of this open redirect is straightforward and requires no complex technical skills. It is an unauthenticated attack, as it leverages a flaw in a public-facing endpoint. No specific privileges are needed; the attacker only needs to craft a malicious URL. This is a remote vulnerability, typically delivered via social engineering tactics like email or malicious links. The primary prerequisite is the ability to convince a user to click on a specially crafted URL. The risk factors are increased when users are not trained to recognize phishing attempts, and when the application's URL validation is lax, allowing external domains in redirect parameters.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-airflow-2022-45402?
Available Upgrade Options
- apache-airflow
- <2.4.3 → Upgrade to 2.4.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/airflow/pull/27576
- https://lists.apache.org/thread/nf4xrkoo6c81g6fdn4vj8k9x2686o9nh
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-42984.yaml
- https://lists.apache.org/thread/nf4xrkoo6c81g6fdn4vj8k9x2686o9nh
- http://www.openwall.com/lists/oss-security/2022/11/15/1
- https://nvd.nist.gov/vuln/detail/CVE-2022-45402
- http://www.openwall.com/lists/oss-security/2022/11/15/1
- https://github.com/apache/airflow
- https://osv.dev/vulnerability/PYSEC-2022-42984
- https://osv.dev/vulnerability/GHSA-rg94-84xj-7gq3
What are Similar Vulnerabilities to BIT-airflow-2022-45402?
Similar Vulnerabilities: CVE-2021-24796 , CVE-2020-10705 , CVE-2019-17029 , CVE-2018-1259 , CVE-2017-5638
