First published: Fri Oct 07 2022(Updated: )
In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Airflow | <=2.4.1 | |
pip/apache-airflow | <2.4.1rc1 | 2.4.1rc1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this Apache Airflow vulnerability is CVE-2022-41672.
The severity of CVE-2022-41672 is high with a CVSS score of 8.1.
CVE-2022-41672 allows an already authenticated user to continue using the UI or API even after their account has been deactivated.
To fix CVE-2022-41672, users should update to Apache Airflow version 2.4.1 or later.
More information about CVE-2022-41672 can be found at the following references: [Reference 1](https://github.com/apache/airflow/pull/26635), [Reference 2](https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y).