CVE-2023-40273 – Session fixation in Apache Airflow web interface

https://notcve.org/view.php?id=CVE-2023-40273

23 Aug 2023 — The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that). With this fix implemented, when using the database session backend, th... • https://github.com/apache/airflow/pull/33347 • CWE-384: Session Fixation •