Apache Airflow Keycloak Provider Missing OAuth State Parameter Vulnerability

A vulnerability exists in the Keycloak authentication manager of the Apache Airflow Keycloak provider, specifically in versions 0.0.1 prior to 0.7.0. The issue arises because the authentication manager failed to generate or validate the OAuth 2.0 'state' parameter during the login and login-callback flows, and did not implement Proof Key for Code Exchange (PKCE). This oversight allows an attacker with a Keycloak account in the same realm to send a crafted callback URL to a victim's browser. As a result, the victim could be logged into the attacker's Airflow session, leading to a login Cross-Site Request Forgery (CSRF) or session fixation attack. Consequently, any credentials the victim later saved in Airflow Connections could be accessed by the attacker.

Impact

Exploitation of this vulnerability could result in a login CSRF or session fixation attack, allowing an attacker to hijack a victim's Airflow session and access sensitive information stored in Airflow Connections.

Remediation

Users are advised to upgrade to Apache Airflow Keycloak Provider version 0.7.0 or later.