Vended-credential refresh accepts arbitrary absolute URLs and reuses the catalog auth session

[rdblue]

This issue was reported to the private Apache Iceberg security mailing list. The submitter is being kept anonymous because the report was sent to a private list. After review, the issue is not considered a serious vulnerability that needs to be kept private, so it is being filed publicly here for tracking and resolution.

Note: this submission was generated by AI. Please review its claims and source references carefully before acting on them.

Summary

The ADLS credential refresh endpoint accepts arbitrary absolute URLs
and reuses the catalog auth session when calling them, enabling
cross-origin credential leakage.

Affected Maven coordinates

• primary shipped client artifact: org.apache.iceberg:iceberg-azure
• bundle artifact: org.apache.iceberg:iceberg-azure-bundle

Attacker prerequisites

• control over the affected catalog response, configuration surface,
  or spec-consumed routing value
• a client or service that honors the affected configuration without
  an additional allow-list

Impact

• If adls.refresh-credentials-endpoint is pointed at another origin,
  Iceberg will send the catalog-authenticated request there.
• That can leak catalog auth headers or bearer tokens to an
  attacker-controlled endpoint.
• Plaintext http:// is accepted too, so the same flow can be
  downgraded to cleartext transport.

Proof status

Source review only. The issue is visible directly from source.

Key source references

• org.apache.iceberg.azure.AzureProperties
• org.apache.iceberg.azure.adlsv2.VendedAdlsCredentialProvider
• org.apache.iceberg.rest.RESTUtil
• org.apache.iceberg.rest.HTTPRequest

[rdblue]

This requires trusting a malicious catalog, which is not reasonable. If an attacker controls a trusted catalog, that attacker already has access to user identity tokens and can do much more than redirect those same tokens to another endpoint. In addition, the ability for the catalog to send the correct refresh endpoint to the client is an intended feature.

This is also being addressed by ongoing work to add refresh tokens.