*Overview*: CVE-2024-25128: Vulnerability in custom, long deprecated OpenID (NOT OIDC) authentication method in Flask AppBuilder
When Flask-AppBuilder is set to ``AUTH_TYPE`` set to ``AUTH_OID``, it allows an attacker to forge an HTTP request that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. This vulnerability is only exploitable when the application is using the old (deprecated 10 years ago) OpenID 2.0 authorization protocol (which is very different from the popular OIDC - Open ID Connect - popular protocol used today). Currently, this protocol is regarded as legacy, with significantly reduced usage and not supported for several years by major authorization providers. For more details https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqj *Affected Versions* This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. *Recommendations*: Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue. If not possible users can just upgrade Flask-AppBuilder to version 4.3.11. Users that use ``AUTH_OID`` are recommended to migrate and change their authentication method If upgrade or changing authentication method is not possible add the following to your ``superset_config.py`` file to fix the issue: from flask import flash, redirect from flask_appbuilder import expose from superset.security.manager import SupersetSecurityManager from flask_appbuilder.security.views import AuthOIDView from flask_appbuilder.security.forms import LoginForm_oid class FixedOIDView(AuthOIDView): @expose("/login/", methods=["GET", "POST"]) def login(self, flag=True): form = LoginForm_oid() if form.validate_on_submit(): identity_url = None for provider in self.appbuilder.sm.openid_providers: if provider.get("url") == form.openid.data: identity_url = form.openid.data if identity_url is None: flash(self.invalid_login_message, "warning") return redirect(self.appbuilder.get_url_for_login) return super().login(flag=flag) class FixedSecurityManager(SupersetSecurityManager): authoidview = FixedOIDView FAB_SECURITY_MANAGER_CLASS = "superset_config.FixedSecurityManager" *Acknowledgments*: We would like to thank Islam Rzayev for finding and responsibly reporting this vulnerability.
