CVE-2022-38054

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache Airflow versions 2.2.4 through 2.3.3

Description The issue concerns the database webserver session backend, which was susceptible to session fixation. This means an attacker could potentially fixate a session ID on a user's browser, allowing them to access the user's session after the user has authenticated.

Recommendations For Apache Airflow versions 2.2.4 through 2.3.3, consider disabling the database webserver session backend as a temporary workaround until a patch is available. Restrict access to sensitive areas of the application to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-384

Related Identifiers

BIT-AIRFLOW-2022-38054

CVE-2022-38054

GHSA-5FF8-7639-6V6G

PYSEC-2022-263

Affected Products

Apache Airflow

CVE-2022-38054

Weakness Enumeration

Related Identifiers

Affected Products

References · 12