PT-2025-2679 · Apache · Apache Airflow Fab Provider

Saurabh Banawar

Published

2025-01-08

Updated

2025-01-08

CVE-2024-45033

CVSS v2.0

8.5

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions Apache Airflow Fab Provider versions prior to 1.5.2

Description The issue affects Apache Airflow Fab Provider when a user's password is changed using the admin CLI, leading to insufficient session expiration. This allows logged-in users to remain connected even after the password change. The problem does not occur when the password is changed through the web server.

Recommendations To resolve the issue, upgrade to version 1.5.2, which fixes the problem.

Fix

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613

Related Identifiers

BDU:2025-03165

CVE-2024-45033

GHSA-8863-4QMG-FR45

Affected Products

Apache Airflow Fab Provider

PT-2025-2679 · Apache · Apache Airflow Fab Provider

CVE-2024-45033

Weakness Enumeration

Related Identifiers

Affected Products

References · 13