PT-2024-2573 · Apache · Apache Airflow

Alex Liotta

Published

2024-03-13

Updated

2024-12-11

CVE-2024-28746

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Apache Airflow versions 2.8.0 through 2.8.2

Description The issue is related to insufficient access control in Apache Airflow, allowing an authenticated user with limited permissions to access resources such as variables, connections, etc. from the UI, which they do not have permission to access. This could potentially allow a remote attacker to gain unauthorized access to resources.

Recommendations For Apache Airflow versions 2.8.0 through 2.8.2, upgrade to version 2.8.3 or newer to mitigate the risk associated with this issue.

Fix

Improper Access Control

Improper Preservation of Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-281

Related Identifiers

BDU:2024-02611

BIT-AIRFLOW-2024-28746

CVE-2024-28746

GHSA-H574-6646-VFXX

PYSEC-2024-46

Affected Products

Apache Airflow

PT-2024-2573 · Apache · Apache Airflow

CVE-2024-28746

Weakness Enumeration

Related Identifiers

Affected Products

References · 21