CVE-2024-28746

EPSS 0.07%
Veröffentlicht 14.03.2024 09:15:47
Zuletzt bearbeitet 20.03.2025 19:15:28
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access. 

Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Airflow Version >= 2.8.0 < 2.8.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.23

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-281 Improper Preservation of Permissions

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

http://www.openwall.com/lists/oss-security/2024/03/13/5

Third Party Advisory

Mailing List

https://github.com/apache/airflow/pull/37881

Patch

https://lists.apache.org/thread/b4pffc7w7do6qgk4jjbyxvdz5odrvny7

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2024-28746

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-28746

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-28746

EUVD