CVE-2023-40273

CWE-384 CWE-613 — Insufficient Session Expiration7 documents5 sources

Severity

8.0HIGH

EPSS

0.3%

top 50.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Software Foundation Apache Airflow FAB Provider Apache Airflow

Timeline

PublishedAug 23

Latest updateJan 8

Description

The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that). With this fix implemented, when using the database sessio…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 2.1 | Impact: 5.9

Affected Packages4 packages

▶PyPIapache-airflow< 2.7.0rc2+1

▶CVEListV5apache_software_foundation/apache_airflow< 2.7.0

▶CVEListV5apache_software_foundation/apache_airflow_fab_provider< 1.5.2

▶NVDapache/airflow2.7.0

🔴Vulnerability Details

GHSA

Apache Airflow Fab Provider Insufficient Session Expiration vulnerability↗2025-01-08

▶

OSV

Apache Airflow Session Fixation vulnerability↗2023-08-23

▶

CVEList

Session fixation in Apache Airflow web interface↗2023-08-23

▶

OSV

CVE-2023-40273: The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been↗2023-08-23

▶

GHSA

Apache Airflow Session Fixation vulnerability↗2023-08-23

▶

💬Community

HackerOne

CVE-2023-40273: Session fixation in Apache Airflow web interface↗2023-09-04

▶