Airflow Vulnerability: Unauthorized Access to Audit Logs
CVE-2024-26280

4.7MEDIUM

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 1 March 2024

Summary

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

Affected Version(s)

Apache Airflow 0 < 2.8.2

References

https://github.com/apache/airflow/pull/37501

patch

https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jj...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/03/01/1

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 1, 2024
Vulnerability Reserved
Feb 15, 2024

Credit

Yusuf AYDIN (@h1_yusuf)