CVE-2022-41672
Authentication Bypass vulnerability in apache-airflow (PyPI)
What is CVE-2022-41672 About?
This vulnerability in Apache Airflow allows an already authenticated user to bypass account deactivation. Even after their account is deactivated, the user can continue to access the UI or API. Exploitation is simple, as it relies on an existing authenticated session.
Affected Software
- apache-airflow
- <2.4.2rc1
- <2.4.1rc1
Technical Details
The vulnerability occurs because Apache Airflow, prior to version 2.4.1, failed to properly invalidate or terminate existing user sessions upon account deactivation. If a user had an active authentication token or session cookie, deactivating their account would not revoke the validity of that existing session. Consequently, the user could continue to interact with the Airflow UI or API until their session naturally expired or was explicitly terminated by another mechanism, effectively bypassing the deactivation control.
What is the Impact of CVE-2022-41672?
Successful exploitation may allow attackers to maintain unauthorized access to system resources, bypass intended access restrictions, and continue to perform actions as a deactivated user.
What is the Exploitability of CVE-2022-41672?
Exploitation of this vulnerability is of low complexity. It requires the attacker to have been previously authenticated and to possess an active session. No special privileges are needed beyond being an authenticated user with an active session. This is an authentication bypass that can be initiated remotely as long as the session token remains valid. The key risk factor is the persistence of active sessions even after an account has been marked as deactivated, increasing the window of opportunity for an attacker whose account has been compromised or administratively revoked.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-41672?
Available Upgrade Options
- apache-airflow
- <2.4.1rc1 → Upgrade to 2.4.1rc1
- apache-airflow
- <2.4.2rc1 → Upgrade to 2.4.2rc1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-42983.yaml
- https://osv.dev/vulnerability/GHSA-3q8r-f3pj-3gc4
- https://github.com/apache/airflow/commit/12bfb571a895a28a58d3189b0fc10cfc1b89e24c
- https://github.com/apache/airflow
- https://github.com/apache/airflow/pull/26635
- https://nvd.nist.gov/vuln/detail/CVE-2022-41672
- https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y
- https://github.com/apache/airflow/pull/26635
- https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y
What are Similar Vulnerabilities to CVE-2022-41672?
Similar Vulnerabilities: CVE-2023-37905 , CVE-2023-38035 , CVE-2023-38036 , CVE-2023-28432 , CVE-2023-38034
