CVE-2024-28746

CWE-2815 documents4 sources

Severity

8.1HIGH

EPSS

0.1%

top 77.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedMar 14

Description

Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access. Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

▶NVDapache/airflow2.8.0 — 2.8.3

▶PyPIapache-airflow2.8.0 — 2.8.3rc1

▶CVEListV5apache_software_foundation/apache_airflow2.8.0 — 2.8.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-28746: Apache Airflow, versions 2↗2024-03-14

▶

OSV

Apache Airflow: Ignored Airflow Permission↗2024-03-14

▶

CVEList

Apache Airflow: Ignored Airflow Permissions↗2024-03-14

▶

GHSA

Apache Airflow: Ignored Airflow Permission↗2024-03-14

▶