=====================================================================

                               CERT-Renater

                   Note d'Information No. 2022/VULN315

_____________________________________________________________________

DATE                : 06/09/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow versions prior
                                to 2.3.4.

=====================================================================
https://lists.apache.org/thread/zn8mbbb1j2od5nc9zhrvb7rpsrg1vvzv
_____________________________________________________________________

CVE-2022-38170: Apache Airflow: Overly permissive umask for deamons


Description:

In Apache Airflow prior to 2.3.4, an insecure umask was configured
for numerous Airflow components when running with the `--deamon`
flag which could result in a race condition giving world-writable
files in the Airflow home directory and allowing local users to
expose arbitrary file contents via the webserver.


Mitigation:

Run without the `--deamon` flag via a process supervisor instead
(systemd, runit, etc.).


Credit:

The Apache Airflow PMC would like to thank Harry Sintonen for
reporting this issue.

_____________________________________________________________________

CVE-2022-38054: Apache Airflow: Session Fixation

Description:

In Apache Airflow versions 2.2.4 through 2.3.3, the `database`
webserver session backend was susceptible to session fixation.


Credit:

The Apache Airflow PMC would like to thank Kai Zhao for reporting
this issue.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================