Apache Airflow Vulnerability Affects DAG Code and Import Errors
CVE-2024-27906

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 29 February 2024

Summary

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

Affected Version(s)

Apache Airflow 0 < 2.8.2

References

https://github.com/apache/airflow/pull/37290

patch

https://github.com/apache/airflow/pull/37468

patch

https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv...

vendor-advisory

Timeline

Vulnerability published
Feb 29, 2024
Vulnerability Reserved
Feb 27, 2024

Credit

Alex Liotta

Sreenivasulu Suuda

vincbeck (Vincent)

Jed Cunningham