Main Vulnerability Database Vulnerabilities #VU86951

Permissions, Privileges, and Access Controls in Apache Airflow - CVE-2024-27906

Published: March 1, 2024

Vulnerability identifier: #VU86951

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-27906

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache Airflow

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote user to gain access to otherwise restricted functionality.

The vulnerability exists due to application does not properly impose security restrictions. A remote authenticated user can view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.

Remediation

Install updates from vendor's website.

External links

https://github.com/apache/airflow/pull/37290
https://github.com/apache/airflow/pull/37468
https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5
http://www.openwall.com/lists/oss-security/2024/02/29/1

Permissions, Privileges, and Access Controls in Apache Airflow - CVE-2024-27906

Description

Remediation

External links

Please verify you're human