CVE-2024-27906 – apache-airflow

Package

Manager: pip
Name: apache-airflow
Vulnerable Version: >=0 <2.8.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00057 pctl0.17635

Details

Apache Airflow: DAG Code and Import Error Permissions Ignored Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

Metadata

Created: 2024-02-29T12:31:06Z
Modified: 2025-05-06T18:00:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-6v6w-h8m6-7mv2/GHSA-6v6w-h8m6-7mv2.json
CWE IDs: ["CWE-668", "CWE-862"]
Alternative ID: GHSA-6v6w-h8m6-7mv2
Finding: F017
Auto approve: 1