CVE-2022-30034 Flower, a web UI for the Celery Python RPC framework, is vulnerable to an OAuth authentication bypass.

OAuth is a widely used authentication protocol. It provides a secure way for users to grant permission for their data to be accessed by authorized third parties, such as web apps. It reduces the risk of unauthorized access by allowing users to control who has access to their data. Access via OAuth is typically granted by a server in the form of a login page. However, the security of OAuth relies on the integrity of the server as well as the secrecy of the login page. When an attacker can intercept the communication between the server and the user, they can obtain the login page and use it to obtain access to the server. This attack is commonly known as a man-in-the-middle (MitM) attack. Flower currently supports two OAuth providers: Google and Twitter. There are a few MitM attack scenarios that can be used to obtain access to Flower’s OAuth providers, including: - Stepping through proxies - Hijacking sessions - Creating fake login pages - Exfiltrating login credentials - Setting up a fake OAuth provider - Redirecting users to fake OAuth providers As described above, it is possible to use a MitM attack to obtain access to Flower’s OAuth providers.

Stepping through proxies

Step 1: The attacker sets up a proxy server to intercept communication between the user and the server.
Step 2: The attacker performs a MitM attack on the proxy server to obtain the login page for one of Flower’s OAuth providers.
Step 3: The attacker uses their session with the login page to access Flower’s OAuth provider.

Timeline

Published on: 06/02/2022 14:15:00 UTC
Last modified on: 08/16/2022 14:15:00 UTC

References