rdblue opened a new issue, #16483: URL: https://github.com/apache/iceberg/issues/16483
> This issue was reported to the private Apache Iceberg security mailing list. The submitter is being kept anonymous because the report was sent to a private list. After review, the issue is not considered a serious vulnerability that needs to be kept private, so it is being filed publicly here for tracking and resolution. > > Note: this submission was generated by AI. Please review its claims and source references carefully before acting on them. # Summary `GoogleAuthManager` uses Google’s obsolete generic credential loader without validating credential type, so untrusted JSON can select unexpected auth flows. The issue is not only that the code accepts many credential formats. It also delegates type selection to a loader that Google now documents as obsolete for security reasons, which means attacker-controlled JSON can steer Iceberg into auth flows the deployment did not intend to allow. # Affected Maven coordinates * primary shipped client artifact: `org.apache.iceberg:iceberg-gcp` * bundle artifact: `org.apache.iceberg:iceberg-gcp-bundle` # Attacker prerequisites * ability to influence `gcp.auth.credentials-path` or `gcp.auth.credentials-json` * a deployment that expects only a narrow credential type, such as service-account credentials, but does not validate that expectation before loading the JSON # Impact * If those properties can be influenced by an untrusted source, Iceberg may load an unexpected credential type instead of the intended service-account key. * That can trigger unintended outbound auth flows and, in some configurations, executable-backed credential retrieval. # Proof status I reproduced this locally with a targeted reproducer or exploit. The observed result matches the trigger and impact described above. # Key source references * org.apache.iceberg.gcp.auth.GoogleAuthManager Current severity assessment [2]: Moderate [1] https://iceberg.apache.org/security/ [2] https://security.apache.org/blog/severityrating/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
