CVE-2024-27906: Apache Airflow: Dag Code and Import Error Permissions Ignored
First published: Thu Feb 29 2024(Updated: )
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/apache-airflow | <=2.8.1 | 2.8.2 |
| Apache Airflow | <2.8.2 | |
| <2.8.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/apache/airflow/pull/37290
- https://github.com/apache/airflow/pull/37468
- https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5
- http://www.openwall.com/lists/oss-security/2024/02/29/1
- https://nvd.nist.gov/vuln/detail/CVE-2024-27906
- https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b
- https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9
- https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7
- https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a
- https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326
- https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446
- https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24
- https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2
- https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4
- https://github.com/advisories/GHSA-6v6w-h8m6-7mv2 (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml
Frequently Asked Questions
What is the severity of CVE-2024-27906?
CVE-2024-27906 is considered a moderate severity vulnerability affecting Apache Airflow versions prior to 2.8.2.
How do I fix CVE-2024-27906?
To fix CVE-2024-27906, upgrade your Apache Airflow installation to version 2.8.2 or newer.
Who is affected by CVE-2024-27906?
Authenticated users of Apache Airflow versions before 2.8.2 can be affected by CVE-2024-27906.
What does CVE-2024-27906 allow attackers to do?
CVE-2024-27906 allows authenticated users to view DAG code and import errors of DAGs they do not have permission to access.
When was CVE-2024-27906 reported?
CVE-2024-27906 was reported and documented in early 2024.
- agent/title
- agent/type
- agent/first-publish-date
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-27906
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/trending
- agent/source
- agent/description
- agent/event
- collector/github-advisory
- source/GitHub
- alias/GHSA-6v6w-h8m6-7mv2
- agent/software-canonical-lookup
- collector/nvd-api
- source/NVD
- agent/weakness
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/github-advisory-latest
- collector/nvd-cve
- package-manager/pip
- vendor/apache
- canonical/apache airflow