Auth Bypass: Airflow 2.8.0-2.8.2 UI Permissions Leak, fixed in 2.8.3
CVE-2024-28746 Published on March 14, 2024

Apache Airflow: Ignored Airflow Permissions
Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access.  Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability

Vendor Advisory NVD

Vulnerability Analysis

CVE-2024-28746 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

Improper Preservation of Permissions

The software does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.


Products Associated with CVE-2024-28746

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-28746 are published in Apache AirFlow:

Apache AirFlow
 

Affected Versions

Apache Software Foundation Apache Airflow:

Exploit Probability

EPSS
0.10%
Percentile
26.97%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.