CVE-2022-40754
Open Redirect vulnerability in apache-airflow (PyPI)
What is CVE-2022-40754 About?
This vulnerability is an open redirect flaw in Apache Airflow's webserver, allowing attackers to redirect users to arbitrary malicious sites. The impact can range from phishing attacks to spreading malware, and it is relatively easy to exploit, as it only requires manipulating a URL parameter.
Affected Software
- apache-airflow
- >=2.3.0, <2.4.0rc1
- >=2.3.0, <2.4.0b1
Technical Details
The /confirm endpoint in Apache Airflow versions 2.3.0 through 2.3.4 failed to properly validate or sanitize user-supplied redirection URLs. An attacker could craft a specific URL containing a malicious external link and inject it into the redirect parameter of the /confirm endpoint. When an unsuspecting user accesses this crafted URL, the server, instead of redirecting the user to an expected legitimate page, would redirect them to the attacker-controlled external site. This bypasses typical browser same-origin policies and security checks, facilitating phishing or drive-by download attacks.
What is the Impact of CVE-2022-40754?
Successful exploitation may allow attackers to redirect users to malicious websites, facilitating phishing attacks, spreading malware, or tricking users into divulging sensitive information. It can also be used as a stepping stone for more complex social engineering schemes.
What is the Exploitability of CVE-2022-40754?
Exploitation of this vulnerability is considered low complexity, relying on client-side interaction. It does not require authentication or specific privilege levels for the initial redirect, as the vulnerability affects a publicly accessible webserver endpoint. The attack is remote, as it involves crafting and distributing a malicious URL. The primary risk factor is user susceptibility to clicking on a crafted link and failing to recognize the illegitimate redirect, making it suitable for widespread phishing campaigns.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-40754?
Available Upgrade Options
- apache-airflow
- >=2.3.0, <2.4.0b1 → Upgrade to 2.4.0b1
- apache-airflow
- >=2.3.0, <2.4.0rc1 → Upgrade to 2.4.0rc1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-280.yaml
- https://github.com/apache/airflow/pull/26409
- https://lists.apache.org/thread/cn098dcp5x3c402xrb06p3l7nz5goffm
- https://lists.apache.org/thread/cn098dcp5x3c402xrb06p3l7nz5goffm
- https://github.com/apache/airflow/commit/3871f00230b7064e6234aa65b8a00ee2b6d33e4c
- https://github.com/apache/airflow
- https://osv.dev/vulnerability/GHSA-4fg5-j4mm-wfpg
- https://nvd.nist.gov/vuln/detail/CVE-2022-40754
- https://osv.dev/vulnerability/PYSEC-2022-280
- https://github.com/apache/airflow/pull/26409
What are Similar Vulnerabilities to CVE-2022-40754?
Similar Vulnerabilities: CVE-2023-28362 , CVE-2021-38556 , CVE-2020-13935 , CVE-2018-1323 , CVE-2016-10002
