CVE-2024-45033

EPSS 0.2%
Published 08.01.2025 09:15:07
Last modified 03.06.2025 21:11:55
Source security@apache.org
Teams watchlist Login
Open Login

Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider.

This issue affects Apache Airflow Fab Provider: before 1.5.2.

When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged users could continue to be logged in even after the password was changed. This only happened when the password was changed with CLI. The problem does not happen in case change was done with webserver thus this is different from  CVE-2023-40273 https://github.com/advisories/GHSA-pm87-24wq-r8w9  which was addressed in Apache-Airflow 2.7.0


Users are recommended to upgrade to version 1.5.2, which fixes the issue.

Affected products Warnungen 0 Metrics 2 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Apache-airflow-providers-fab Version < 1.5.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.2%	0.422

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://github.com/apache/airflow/pull/45139

Issue Tracking

https://lists.apache.org/thread/yw535346rk766ybzpqtvrl36sjj789st

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2024-45033

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-45033

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-45033

EUVD