[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-40273: Session fixation in Apache Airflow web interface
From:       Ephraim Anierobi <ephraimanierobi () apache ! org>
Date:       2023-08-23 10:32:26
Message-ID: 924cd47e-e1b8-b70e-88b1-4a7ddf11e15a () apache ! org
[Download RAW message or body]

Severity: low

Affected versions:

- Apache Airflow before 2.7.0

Description:

The session fixation vulnerability allowed the authenticated user to continue accessing Airflow \
webserver even after the password of the user has been reset by the admin - up until the expiry \
of the session of the user. Other than manually cleaning the session database (for database  \
session backend), or changing the secure_key and restarting the webserver, there were no \
mechanisms to force-logout the user (and all other users with that).

With this fix implemented, when using the  database  session backend, the existing sessions of \
the user are invalidated when the password of the user is reset. When using the securecookie  \
session backend, the sessions are NOT invalidated and still require changing the secure key and \
restarting the webserver (and logging out all other users), but the user resetting the password \
is informed about it with a flash message warning displayed in the UI. Documentation is also \
updated explaining this behaviour.

Users of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk \
associated with this vulnerability.

Credit:

Yusuf AYDIN (@h1_yusuf) (finder)
L3yx of Syclover Security Team. (finder)

References:

https://github.com/apache/airflow/pull/33347
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-40273


[prev in list] [next in list] [prev in thread] [next in thread]