CVE-2024-27906 — Missing Authorization in Software Foundation Apache Airflow

CWE-862 — Missing Authorization CWE-668 — Resource Exposure5 documents4 sources

Severity

5.9MEDIUMNVD

EPSS

0.1%

top 84.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedFeb 29

Description

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 2.5 | Impact: 3.4

Affected Packages2 packages

▶NVDapache/airflow< 2.8.2

▶CVEListV5apache_software_foundation/apache_airflow< 2.8.2

🔴Vulnerability Details

GHSA

Apache Airflow: DAG Code and Import Error Permissions Ignored↗2024-02-29

▶

CVEList

Apache Airflow: Dag Code and Import Error Permissions Ignored↗2024-02-29

▶

OSV

CVE-2024-27906: Apache Airflow, versions before 2↗2024-02-29

▶

OSV

Apache Airflow: DAG Code and Import Error Permissions Ignored↗2024-02-29

▶