===================================================================== CERT-Renater Note d'Information No. 2023/VULN293 _____________________________________________________________________ DATE : 05/09/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Airflow versions prior to 2.7.0. ===================================================================== https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r _____________________________________________________________________ CVE-2023-40273: Session fixation in Apache Airflow web interface Severity: low Affected versions: - Apache Airflow before 2.7.0 Description: The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that). With this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour. Users of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Credit: Yusuf AYDIN (@h1_yusuf) (finder) L3yx of Syclover Security Team. (finder) References: https://github.com/apache/airflow/pull/33347 https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-40273 _____________________________________________________________________ CVE-2023-37379: Apache Airflow: Exposure of sensitive connection information, DOS and SSRF on "test connection" feature Severity: moderate Affected versions: - Apache Airflow before 2.7.0 Description: Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server. Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface. Credit: kuteminh11 (finder) khoabda of Zalo Security Team (finder) Sayooj B Kumar(Team bi0s & CRED Security team) (finder) Son Tran from VNPT - VCI (finder) KmhlYXJ0 (finder) References: https://github.com/apache/airflow/pull/32052 https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-37379 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================