Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2023-40273
HistoryAug 23, 2023 - 4:15 p.m.

CVE-2023-40273

2023-08-2316:15:09
CWE-384
[email protected]
web.nvd.nist.gov
36
cve
apache airflow
session fixation
vulnerability
security
upgrade
nvd

8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.1%

JSON

The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that).

With this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour.

Users of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability.

Affected configurations

Vulners
NVD
Node
apacheairflowRange2.7.0
CPENameOperatorVersion
apache:airflowapache airflowle2.7.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Airflow",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "2.7.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

Related

hackerone 1
osv 4
prion 1
github 1
nvd 1
cnvd 1
veracode 1
cvelist 1
hackerone
hackerone
Internet Bug Bounty: CVE-2023-40273: Session fixation in Apache Airflow web interface
2023-08-24 02:00:31
osv
osv
CVE-2023-40273
2023-08-23 16:15:09
Apache Airflow Session Fixation vulnerability
2023-08-23 18:30:34
BIT-airflow-2023-40273
2024-03-06 10:53:37
prion
prion
Session fixation
2023-08-23 16:15:00
github
github
Apache Airflow Session Fixation vulnerability
2023-08-23 18:30:34
nvd
nvd
CVE-2023-40273
2023-08-23 16:15:09
cnvd
cnvd
Apache Airflow Access Control Error Vulnerability (CNVD-2023-70279)
2023-08-25 00:00:00
veracode
veracode
Session Fixation
2023-08-25 05:20:12
cvelist
cvelist
CVE-2023-40273 Session fixation in Apache Airflow web interface
2023-08-23 15:37:49

8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.1%

JSON
Related for CVE-2023-40273
hackerone1osv4prion1github1nvd1cnvd1veracode1cvelist1