[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-40273: Session fixation in Apache Airflow web interface
From: Ephraim Anierobi <ephraimanierobi () apache ! org>
Date: 2023-08-23 10:32:26
Message-ID: 924cd47e-e1b8-b70e-88b1-4a7ddf11e15a () apache ! org
[Download RAW message or body]
Severity: low
Affected versions:
- Apache Airflow before 2.7.0
Description:
The session fixation vulnerability allowed the authenticated user to continue accessing Airflow \
webserver even after the password of the user has been reset by the admin - up until the expiry \
of the session of the user. Other than manually cleaning the session database (for database \
session backend), or changing the secure_key and restarting the webserver, there were no \
mechanisms to force-logout the user (and all other users with that).
With this fix implemented, when using the database session backend, the existing sessions of \
the user are invalidated when the password of the user is reset. When using the securecookie \
session backend, the sessions are NOT invalidated and still require changing the secure key and \
restarting the webserver (and logging out all other users), but the user resetting the password \
is informed about it with a flash message warning displayed in the UI. Documentation is also \
updated explaining this behaviour.
Users of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk \
associated with this vulnerability.
Credit:
Yusuf AYDIN (@h1_yusuf) (finder)
L3yx of Syclover Security Team. (finder)
References:
https://github.com/apache/airflow/pull/33347
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-40273
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic