BIT-airflow-2024-27906
Information Disclosure vulnerability in apache-airflow (PyPI)
What is BIT-airflow-2024-27906 About?
Apache Airflow versions before 2.8.2 suffer from an information disclosure vulnerability, allowing authenticated users to view DAG code and import errors for unauthorized DAGs. This bypasses access controls, potentially revealing sensitive operational logic or debugging information. Exploitation is straightforward for authenticated users.
Affected Software
Technical Details
The vulnerability in Apache Airflow, affecting versions prior to 2.8.2, is an access control bypass leading to information disclosure. Authenticated users, even without explicit permissions to view specific DAGs, can leverage the API and UI to access the source code and import errors of those restricted DAGs. This suggests a flaw in the authorization checks performed by the API endpoints and UI components responsible for displaying DAG details. Instead of properly enforcing granular permissions, these interfaces inadvertently expose sensitive DAG internals, such as business logic, credentials or configuration details embedded in the DAG code, to any authenticated user who knows or can guess the DAG identifier.
What is the Impact of BIT-airflow-2024-27906?
Successful exploitation may allow attackers to obtain sensitive information, bypass access controls, gain insight into system configurations, and aid further attacks.
What is the Exploitability of BIT-airflow-2024-27906?
Exploitation of this vulnerability is simple, requiring only an authenticated user account. No special privileges beyond basic user authentication are necessary to access the restricted DAG information. Remote access is possible as the vulnerability can be triggered via the Airflow API and UI, which are typically accessible over a network. There are no known special conditions or constraints other than being an authenticated user. The risk of exploitation is increased if there are many authenticated users in an environment, or if user accounts are not properly managed or monitored. The ease of exploitation means that any authenticated user could potentially compromise the confidentiality of DAG code they are not authorized to see.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-airflow-2024-27906?
Available Upgrade Options
- apache-airflow
- <2.8.2 → Upgrade to 2.8.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326
- http://www.openwall.com/lists/oss-security/2024/02/29/1
- https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5
- https://osv.dev/vulnerability/GHSA-6v6w-h8m6-7mv2
- https://github.com/apache/airflow/pull/37468
- https://github.com/apache/airflow/pull/37468
- https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9
- https://github.com/apache/airflow/pull/37290
- https://nvd.nist.gov/vuln/detail/CVE-2024-27906
- https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2
What are Similar Vulnerabilities to BIT-airflow-2024-27906?
Similar Vulnerabilities: CVE-2023-50944 , CVE-2024-50378 , CVE-2023-38038 , CVE-2023-46726 , CVE-2023-45585
