PT-2024-1970 · Apache · Apache Airflow

Alex Liotta

Published

2024-02-27

Updated

2025-05-06

CVE-2024-27906

CVSS v3.1

5.9

Medium

Vector

AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 2.8.2

Description The issue allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. This is related to the disclosure of information in the error data area. Exploitation of the issue may allow a remote attacker to access the source code of DAGs.

Recommendations For Apache Airflow versions prior to 2.8.2, upgrade to version 2.8.2 or newer to mitigate the risk associated with this issue. As a temporary workaround, consider restricting access to the API and UI for authenticated users until a patch is available.

Fix

Missing Authorization

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-668

Related Identifiers

BDU:2024-01798

BIT-AIRFLOW-2024-27906

CVE-2024-27906

GHSA-6V6W-H8M6-7MV2

PYSEC-2024-245

Affected Products

Apache Airflow

PT-2024-1970 · Apache · Apache Airflow

CVE-2024-27906

Weakness Enumeration

Related Identifiers

Affected Products

References · 29