Apache Airflow: Incorrect Default Permissions in audit logs for Ops and Viewers users

GHSA-6xwf-xvf3-v459 · BIT-airflow-2024-26280 · CVE-2024-26280 · PYSEC-2024-42

Published Mar 1, 2024 · Modified Nov 1, 2024

Description

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-26280
WEB https://github.com/apache/airflow/pull/37501
WEB https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa
WEB https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99
WEB https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e
WEB https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d
WEB https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f
WEB https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c
PACKAGE https://github.com/apache/airflow
WEB https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml
WEB https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh
WEB http://www.openwall.com/lists/oss-security/2024/03/01/1

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes