<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2024-28746: Apache Airflow: Ignored Airflow Permissions
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Ephraim Anierobi <ephraimanierobi () apache org>
Date: Wed, 13 Mar 2024 17:50:30 +0000
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Severity: moderate
Affected versions:
- Apache Airflow 2.8.0 before 2.8.3
Description:
Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited
permissions to access resources such as variables, connections, etc from the UI which they do not have permission to
access.
Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this
vulnerability
Credit:
Alex Liotta (finder)
Vincent(Vincbeck) (remediation developer)
References:
https://github.com/apache/airflow/pull/37881
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-28746
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2024-28746: Apache Airflow: Ignored Airflow Permissions Ephraim Anierobi (Mar 13)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->