SB2024030133 - Multiple vulnerabilities in Apache Airflow
Published: March 1, 2024 Updated: March 4, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Improper Authentication (CVE-ID: CVE-2024-25128)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in Flask-AppBuilder with "AUTH_TYPE" set to "AUTH_OID". A remote attacker can force the application to use a custom OpenID service under attacker's control, bypass authentication process and gain unauthorized access to the application.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-27906)
The vulnerability allows a remote user to gain access to otherwise restricted functionality.
The vulnerability exists due to application does not properly impose security restrictions. A remote authenticated user can view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.
3) Improper access control (CVE-ID: CVE-2024-26280)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user with access to Ops and Viewers can view all information on audit logs, including dag names and usernames they were not permitted to view.
Remediation
Install update from vendor's website.
References
- https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqj
- https://github.com/dpgaspar/Flask-AppBuilder/commit/6336456d83f8f111c842b2b53d1e89627f2502c8
- https://github.com/apache/airflow/pull/37290
- https://github.com/apache/airflow/pull/37468
- https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5
- http://www.openwall.com/lists/oss-security/2024/02/29/1
- https://github.com/apache/airflow/pull/37501
- https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh