CVE-2024-27906
Apache Airflow: Dag Code and Import Error Permissions Ignored
Severity Score
"-"
*CVSS v-
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.
Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability
Apache Airflow, versiones anteriores a la 2.8.2, tiene una vulnerabilidad que permite a los usuarios autenticados ver el código DAG e importar errores de DAG que no tienen permiso para ver a través de la API y la UI. Se recomienda a los usuarios de Apache Airflow actualizar a la versión 2.8.2 o posterior para mitigar el riesgo asociado con esta vulnerabilidad.
*Credits:
Alex Liotta, Sreenivasulu Suuda, vincbeck (Vincent), Jed Cunningham
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-02-27 CVE Reserved
- 2024-02-29 CVE Published
- 2024-03-01 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-668: Exposure of Resource to Wrong Sphere
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2024/02/29/1 |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/apache/airflow/pull/37290 | 2024-02-29 | |
| https://github.com/apache/airflow/pull/37468 | 2024-02-29 |
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5 | 2024-02-29 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Airflow Search vendor "Apache Software Foundation" for product "Apache Airflow" | < 2.8.2 Search vendor "Apache Software Foundation" for product "Apache Airflow" and version " < 2.8.2" | en |
Affected
| ||||||