BIT-airflow-2023-40273
session fixation vulnerability in apache-airflow (PyPI)
What is BIT-airflow-2023-40273 About?
This session fixation vulnerability allowed an authenticated user to maintain access to the Airflow webserver even after their password was reset by an administrator, until their session expired. This bypasses security measures designed to revoke access upon credential change, making it moderately easy to exploit if an attacker can compromise a session and the admin resets a password. The impact is continued unauthorized access to the webserver.
Affected Software
- apache-airflow
- <2.7.0rc2
- <2.7.1rc1
Technical Details
The vulnerability lies in the insufficient session invalidation mechanism within Apache Airflow prior to version 2.7.0. Specifically, when an administrator reset a user's password, an existing session for that user remained valid. For installations utilizing the 'database' session backend, the session token stored by the user was not invalidated in the database, allowing them to continue accessing the Airflow webserver. If the 'securecookie' session backend was used, session invalidation was not performed at all, requiring manual intervention (changing secure_key and restarting the webserver) to force logout. This means an attacker who has compromised a user's session (e.g., through session hijacking or theft) could maintain persistent access despite a password reset, undermining the security posture of the application.
What is the Impact of BIT-airflow-2023-40273?
Successful exploitation may allow attackers to maintain unauthorized access to the Airflow webserver despite a password reset, bypass security controls, and potentially access or manipulate data associated with the compromised user's privileges.
What is the Exploitability of BIT-airflow-2023-40273?
Exploitation requires an authenticated session to already exist, either legitimately or through prior compromise (e.g., session hijacking, session token theft). No specific authentication is required at the time of exploitation if a valid session token is possessed. It is a logical flaw that can be exploited remotely if the session is compromised. The complexity is moderate, primarily relying on the attacker's ability to obtain or maintain a session token. The primary risk factor is the persistence of session tokens even after a critical security event like a password reset.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-airflow-2023-40273?
Available Upgrade Options
- apache-airflow
- <2.7.0rc2 → Upgrade to 2.7.0rc2
- apache-airflow
- <2.7.1rc1 → Upgrade to 2.7.1rc1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-158.yaml
- https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj
- https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj
- https://github.com/apache/airflow
- https://github.com/apache/airflow/commit/f5d8201ea7935d17cecaf25fc90d4ef0ccdd627b
- https://github.com/apache/airflow/pull/33347
- https://github.com/apache/airflow/pull/33347
- https://www.openwall.com/lists/oss-security/2023/08/23/1
- https://osv.dev/vulnerability/PYSEC-2023-158
What are Similar Vulnerabilities to BIT-airflow-2023-40273?
Similar Vulnerabilities: CVE-2015-0234 , CVE-2010-3866 , CVE-2008-5188 , CVE-2006-2580
