2267069 – (CVE-2024-27906) CVE-2024-27906 Apache-Airflow: Dag Code and Import Error Permissions Ignored

Bug 2267069 (CVE-2024-27906) - CVE-2024-27906 Apache-Airflow: Dag Code and Import Error Permissions Ignored

Summary: CVE-2024-27906 Apache-Airflow: Dag Code and Import Error Permissions Ignored

Keywords:
Status:	NEW
Alias:	CVE-2024-27906
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2267070
Blocks:
TreeView+	depends on / blocked

Reported:	2024-02-29 14:19 UTC by ybuenos
Modified:	2024-02-29 14:20 UTC (History)
CC List:	0 users
Fixed In Version:	apache-airflow 2.8.2
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description ybuenos 2024-02-29 14:19:53 UTC

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

https://github.com/apache/airflow/pull/37290
https://github.com/apache/airflow/pull/37468
https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5

Comment 1 ybuenos 2024-02-29 14:20:08 UTC

Created golang-cloud-google tracking bugs for this issue:

Affects: fedora-all [bug 2267070]

Note You need to log in before you can comment on or make changes to this bug.