CVE-2022-38054
Session Fixation vulnerability in apache-airflow (PyPI)
What is CVE-2022-38054 About?
This vulnerability is a Session Fixation flaw in Apache Airflow versions 2.2.4 through 2.3.3 when using the 'database' webserver session backend. It allows an attacker to provide a user with a pre-determined session ID, which can then be hijacked once the user authenticates. This could lead to account takeover and is moderately easy to exploit if a user can be induced to use the fixed session ID.
Affected Software
Technical Details
The Apache Airflow application, specifically in versions 2.2.4 through 2.3.3, using the 'database' webserver session backend, is susceptible to Session Fixation. This vulnerability occurs because the application does not generate a new session ID upon successful user authentication. An attacker can initiate a session with the Airflow application, obtaining a session ID. They then trick a legitimate user into using this pre-established session ID (e.g., via a malicious link or a cookie injection attack). Once the legitimate user authenticates using this fixed session ID, the attacker can use the same session ID to take over the authenticated session, gaining full access to the user's account and privileges within Airflow.
What is the Impact of CVE-2022-38054?
Successful exploitation may allow attackers to hijack authenticated user sessions, leading to unauthorized access to the application, privilege escalation, and full account takeover.
What is the Exploitability of CVE-2022-38054?
Exploitation of session fixation requires an attacker to obtain a valid session ID from the server, typically by visiting a login page. Then, the attacker must fixate this session ID in the victim's browser, often via URL parameter, cookie injection, or a malicious link. The victim then needs to successfully authenticate using the fixed session ID. No direct authentication is required for the attacker to initiate the fixed session, but the victim must authenticate. Access is remote. The primary constraint is convincing the victim to use the attacker's session ID and then log in. Vulnerability is increased if the web server allows session IDs in URLs or if cookies are not set with 'Secure' and 'HttpOnly' flags.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-38054?
Available Upgrade Options
- apache-airflow
- >=2.2.4, <2.3.4rc1 → Upgrade to 2.3.4rc1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-5ff8-7639-6v6g
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-263.yaml
- https://github.com/apache/airflow
- https://github.com/advisories/GHSA-5ff8-7639-6v6g
- https://lists.apache.org/thread/rsd3h89xdp16rg0ltovx3m7q3ypkxsbb
- http://www.openwall.com/lists/oss-security/2022/09/02/1
- http://www.openwall.com/lists/oss-security/2022/09/02/1
- https://nvd.nist.gov/vuln/detail/CVE-2022-38054
- https://lists.apache.org/thread/rsd3h89xdp16rg0ltovx3m7q3ypkxsbb
What are Similar Vulnerabilities to CVE-2022-38054?
Similar Vulnerabilities: CVE-2009-1234 , CVE-2010-0925 , CVE-2012-5883 , CVE-2013-1815 , CVE-2013-4152
