4.7

CVE-2024-26280

Apache Airflow: Overly broad default permissions for Viewer/Ops (audit logs)

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheAirflow Version < 2.8.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.86% 0.764
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 4.7 1.2 3.4
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

http://www.openwall.com/lists/oss-security/2024/03/01/1
Third Party Advisory
Mailing List
https://github.com/apache/airflow/pull/37501
Patch
Issue Tracking
https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh
Vendor Advisory
Mailing List