Apache Airflow Vulnerability Affects DAG Code and Import Errors
CVE-2024-27906

5.9MEDIUM

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 29 February 2024

Summary

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

Affected Version(s)

Apache Airflow 0 < 2.8.2

References

https://github.com/apache/airflow/pull/37290

patch

https://github.com/apache/airflow/pull/37468

patch

https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv...

vendor-advisory

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 29, 2024
Vulnerability Reserved
Feb 27, 2024

Credit

Alex Liotta

Sreenivasulu Suuda

vincbeck (Vincent)

Jed Cunningham