=====================================================================

                                CERT-Renater

                     Note d'Information No. 2022/VULN357

_____________________________________________________________________

DATE                : 06/10/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow versions prior to
                                          2.4.1.

=====================================================================
https://lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08y
_____________________________________________________________________

CVE-2022-41672: Apache Airflow: Session still funtional after user
is deactivated


Description:

In Apache Airflow, prior to version 2.4.1, deactivating a user
wouldn't prevent an already authenticated user from being able
to continue using the UI or API.


Credit:

The Apache Airflow PMC would like to thank Axel Chong (@Haxatron)
for reporting this issue.


References:

https://github.com/apache/airflow/pull/26635


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================