BIT-airflow-2024-31869
Incorrect Authorization vulnerability in apache-airflow (PyPI)
What is BIT-airflow-2024-31869 About?
HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 are vulnerable to incorrect authorization, where an Entity's Group membership may inadvertently include Groups it no longer has permissions to. This can lead to unauthorized access to resources. Exploitation likely requires specific conditions related to group membership changes.
Affected Software
Technical Details
This vulnerability affects HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3. It concerns an 'Incorrect Authorization' issue where an 'Entity' (a user or machine identity) can retain membership to 'Groups' for which it no longer has explicit permissions. This typically happens under specific circumstances, such as when group policies or memberships are altered, but the system fails to correctly revoke existing group associations or update an Entity's effective permissions. This might occur due to a caching issue, a race condition, or a logical flaw in how group membership revocations are propagated and enforced. The attacker, possessing a Vault Entity, could exploit this by observing or manipulating changes in group memberships to retain access to resources they should no longer have permission for.
What is the Impact of BIT-airflow-2024-31869?
Successful exploitation may allow attackers to retain unauthorized access to resources, secrets, or privileged operations, potentially leading to information disclosure, unauthorized modification, or further compromise of the system.
What is the Exploitability of BIT-airflow-2024-31869?
Exploitation complexity is likely moderate to high, as it requires specific conditions to be met, such as changes in group policies or entity assignments, potentially involving race conditions or timing. Authentication is required, as the attacker needs to be an authenticated entity within Vault. This is typically a local exploitation scenario within the Vault environment, but could be triggered remotely via API calls. Key risk factors include dynamic changes in user or group permissions, and environments where Vault's authorization engine is heavily relied upon for fine-grained access control, where such a flaw could lead to significant unintended access.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-airflow-2024-31869?
Available Upgrade Options
- apache-airflow
- >2.7.0, <2.9.0 → Upgrade to 2.9.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/airflow/pull/38795
- http://www.openwall.com/lists/oss-security/2024/04/17/10
- https://github.com/apache/airflow/commit/042c2acaed7c01933d37c2f8434640ce140a4b27
- https://github.com/apache/airflow
- http://www.openwall.com/lists/oss-security/2024/04/17/10
- https://osv.dev/vulnerability/GHSA-2522-mrjc-m688
- https://nvd.nist.gov/vuln/detail/CVE-2024-31869
- https://lists.apache.org/thread/pz6vg7wcjk901rmsgt86h76g6kfcgtk3
- https://github.com/apache/airflow/pull/38795
- https://lists.apache.org/thread/pz6vg7wcjk901rmsgt86h76g6kfcgtk3
What are Similar Vulnerabilities to BIT-airflow-2024-31869?
Similar Vulnerabilities: CVE-2022-41407 , CVE-2023-2895 , CVE-2024-2228 , CVE-2023-29471 , CVE-2021-29467
