Lucene search

GoogleOSV:GHSA-5FF8-7639-6V6G

HistorySep 03, 2022 - 12:00 a.m.

Apache Airflow Session Fixation vulnerability

2022-09-0300:00:25

Google

osv.dev

apache airflow

session fixation

vulnerability

webserver

database

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.061 Low

EPSS

Percentile

93.6%

JSON

In Apache Airflow versions 2.2.4 through 2.3.3, the database webserver session backend was susceptible to session fixation.

CPENameOperatorVersion
apache-airfloweq2.3.3
apache-airfloweq2.3.3rc1
apache-airfloweq2.3.0
apache-airfloweq2.3.0rc1
apache-airfloweq2.3.3rc2
apache-airfloweq2.3.0b1
apache-airfloweq2.2.5
apache-airfloweq2.3.0rc2
apache-airfloweq2.2.5rc1
apache-airfloweq2.3.1rc1

Name	Operator	Version
apache-airflow	eq	2.3.3
apache-airflow	eq	2.3.3rc1
apache-airflow	eq	2.3.0
apache-airflow	eq	2.3.0rc1
apache-airflow	eq	2.3.3rc2
apache-airflow	eq	2.3.0b1
apache-airflow	eq	2.2.5
apache-airflow	eq	2.3.0rc2
apache-airflow	eq	2.2.5rc1
apache-airflow	eq	2.3.1rc1

Rows per page:

1-10 of 181

References

www.openwall.com/lists/oss-security/2022/09/02/1

github.com/advisories/GHSA-5ff8-7639-6v6g

github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-263.yaml

lists.apache.org/thread/rsd3h89xdp16rg0ltovx3m7q3ypkxsbb

nvd.nist.gov/vuln/detail/CVE-2022-38054

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.061 Low

EPSS

Percentile

93.6%

JSON

Related for OSV:GHSA-5FF8-7639-6V6G