CVE-2024-28746: Apache Airflow: Ignored Airflow Permissions
First published: Wed Mar 13 2024(Updated: )
Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access. Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/apache-airflow | >=2.8.0<2.8.3rc1 | 2.8.3rc1 |
| Apache Airflow | >=2.8.0<2.8.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2024-28746
- https://github.com/apache/airflow/pull/37881
- https://lists.apache.org/thread/b4pffc7w7do6qgk4jjbyxvdz5odrvny7
- https://github.com/apache/airflow/commit/89e7f3e7bdf2126bbbcd959dc10d65ef92773cca
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-46.yaml
- https://github.com/advisories/GHSA-h574-6646-vfxx (Advisory)
- http://www.openwall.com/lists/oss-security/2024/03/13/5
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-28746
- agent/title
- agent/first-publish-date
- agent/weakness
- agent/description
- agent/type
- agent/event
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/references
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-h574-6646-vfxx
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/softwarecombine
- agent/tags
- agent/trending
- package-manager/pip
- vendor/apache
- canonical/apache airflow
- version/apache airflow/2.8.0