CVE-2024-28746 – apache-airflow

Package

Manager: pip
Name: apache-airflow
Vulnerable Version: >=2.8.0 <2.8.3rc1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L

EPSS: 0.00068 pctl0.21444

Details

Apache Airflow: Ignored Airflow Permission Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access.  Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability

Metadata

Created: 2024-03-14T09:31:05Z
Modified: 2024-05-02T19:01:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-h574-6646-vfxx/GHSA-h574-6646-vfxx.json
CWE IDs: ["CWE-281"]
Alternative ID: GHSA-h574-6646-vfxx
Finding: F159
Auto approve: 1