CVE-2024-26280 — Incorrect Default Permissions in Software Foundation Apache Airflow

CWE-276 — Incorrect Default Permissions5 documents4 sources

Severity

4.7MEDIUMNVD

EPSS

0.2%

top 54.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedMar 1

Description

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:LExploitability: 1.2 | Impact: 3.4

Affected Packages2 packages

▶NVDapache/airflow< 2.8.2

▶CVEListV5apache_software_foundation/apache_airflow< 2.8.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-26280: Apache Airflow, versions before 2↗2024-03-01

▶

CVEList

Apache Airflow: Overly broad default permissions for Viewer/Ops (audit logs)↗2024-03-01

▶

OSV

Apache Airflow: Incorrect Default Permissions in audit logs for Ops and Viewers users↗2024-03-01

▶

GHSA

Apache Airflow: Incorrect Default Permissions in audit logs for Ops and Viewers users↗2024-03-01

▶