rdblue opened a new issue, #16488: URL: https://github.com/apache/iceberg/issues/16488
> This issue was reported to the private Apache Iceberg security mailing list. The submitter is being kept anonymous because the report was sent to a private list. After review, the issue is not considered a serious vulnerability that needs to be kept private, so it is being filed publicly here for tracking and resolution. > > Note: this submission was generated by AI. Please review its claims and source references carefully before acting on them. # Summary The deprecated S3 signer OpenAPI document advertises an endpoint that signs object-store requests and even lists `401` and `403` responses, but it never defines any `securitySchemes` or `security` requirement. That leaves generated clients, documentation portals, and API gateways without an explicit authentication contract for a signing oracle. In practice, operators then have to add the missing auth semantics by hand, which is exactly the kind of gap that leads to fail-open exposure. # Affected Maven coordinates * deprecated signer spec as shipped in `org.apache.iceberg:iceberg-aws` * bundle artifact: `org.apache.iceberg:iceberg-aws-bundle` # Attacker prerequisites * a deployment that publishes or imports the signer OpenAPI document into client tooling, docs, or gateway policy * no separate local rule that adds the missing authentication requirement back in # Impact * Misconfigured deployments can expose a signing oracle. * Tooling built from the spec can fail open around authentication. * API gateways or generated clients that rely on OpenAPI security metadata can under-protect a privileged signing endpoint because the document never tells them it needs auth. # Proof status Source review only. The issue is visible directly in the published spec text. # Key source references * s3-signer-open-api.yaml Current severity assessment [2]: Moderate [1] https://iceberg.apache.org/security/ [2] https://security.apache.org/blog/severityrating/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
