Multiple vulnerabilities in Apache Airflow
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2024-25128 CVE-2024-27906 CVE-2024-26280 |
| CWE-ID | CWE-287 CWE-264 CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Apache Airflow Web applications / Modules and components for CMS |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper Authentication
EUVDB-ID: #VU86952
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-25128
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in Flask-AppBuilder with "AUTH_TYPE" set to "AUTH_OID". A remote attacker can force the application to use a custom OpenID service under attacker's control, bypass authentication process and gain unauthorized access to the application.
Install updates from vendor's website.
Vulnerable software versionsApache Airflow: 2.0.0 - 2.8.1
External linkshttp://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqj
http://github.com/dpgaspar/Flask-AppBuilder/commit/6336456d83f8f111c842b2b53d1e89627f2502c8
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU86951
Risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-27906
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to otherwise restricted functionality.
The vulnerability exists due to application does not properly impose security restrictions. A remote authenticated user can view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache Airflow: 2.0.0 - 2.8.1
External linkshttp://github.com/apache/airflow/pull/37290
http://github.com/apache/airflow/pull/37468
http://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5
http://www.openwall.com/lists/oss-security/2024/02/29/1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper access control
EUVDB-ID: #VU86995
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-26280
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user with access to Ops and Viewers can view all information on audit logs, including dag names and usernames they were not permitted to view.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache Airflow: 2.0.0 - 2.8.1
External linkshttp://github.com/apache/airflow/pull/37501
http://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
