PT-2024-2130 · Apache · Apache Airflow

H1_Yusuf

Published

2024-03-01

Updated

2024-11-01

CVE-2024-26280

CVSS v4.0

5.1

Medium

Vector

AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 2.8.2

Description The issue is related to incorrect default permissions in Apache Airflow, allowing authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With version 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default and need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.

Recommendations For Apache Airflow versions prior to 2.8.2, upgrade to version 2.8.2 or newer to mitigate the risk associated with this issue.

Fix

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-276

Related Identifiers

BDU:2024-02029

BIT-AIRFLOW-2024-26280

CVE-2024-26280

GHSA-6XWF-XVF3-V459

PYSEC-2024-42

Affected Products

Apache Airflow

PT-2024-2130 · Apache · Apache Airflow

CVE-2024-26280

Weakness Enumeration

Related Identifiers

Affected Products

References · 22