rdblue opened a new issue, #16482: URL: https://github.com/apache/iceberg/issues/16482
> This issue was reported to the private Apache Iceberg security mailing list. The submitter is being kept anonymous because the report was sent to a private list. After review, the issue is not considered a serious vulnerability that needs to be kept private, so it is being filed publicly here for tracking and resolution. > > Note: this submission was generated by AI. Please review its claims and source references carefully before acting on them. # Summary The GCS credential refresh endpoint accepts arbitrary absolute URLs and sends catalog-authenticated requests to them, including plain HTTP. # Affected Maven coordinates * primary shipped client artifact: `org.apache.iceberg:iceberg-gcp` * bundle artifact: `org.apache.iceberg:iceberg-gcp-bundle` # Attacker prerequisites * control over the affected catalog response, configuration surface, or spec-consumed routing value * a client or service that honors the affected configuration without an additional allow-list # Impact * If the refresh endpoint is changed to another origin, Iceberg will send the catalog-authenticated request there. * That enables SSRF-style behavior and can leak catalog auth headers or bearer tokens to an attacker-controlled endpoint. * The issue is worse because absolute `http://` URLs are also accepted. * In REST catalog deployments, this can be table-scoped rather than just global config, because `core/` merges table config into `GCSFileIO` properties before `GCPProperties` resolves the refresh endpoint. # Proof status Source review only. The issue is visible directly from source. # Key source references * org.apache.iceberg.gcp.GCPProperties * org.apache.iceberg.rest.RESTUtil * org.apache.iceberg.gcp.gcs.OAuth2RefreshCredentialsHandler Current severity assessment [2]: Important [1] https://iceberg.apache.org/security/ [2] https://security.apache.org/blog/severityrating/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
