CVE-2022-41672 — Insufficient Session Expiration in Software Foundation Apache Airflow

CWE-613 — Insufficient Session Expiration CWE-285 — Improper Authorization5 documents4 sources

Severity

8.1HIGHNVD

EPSS

0.3%

top 43.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedOct 7

Description

In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶NVDapache/airflow2.4.1

▶CVEListV5apache_software_foundation/apache_airflowunspecified — 2.4.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Session still functional after user is deactivated↗2022-10-07

▶

OSV

CVE-2022-41672: In Apache Airflow, prior to version 2↗2022-10-07

▶

GHSA

Apache Airflow may allow authenticated users who have been deactivated to continue using the UI or API↗2022-10-07

▶

OSV

Apache Airflow may allow authenticated users who have been deactivated to continue using the UI or API↗2022-10-07

▶