Vulnerability Description
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Airflow | < 2.8.2 |
Related Weaknesses (CWE)
References
- https://github.com/apache/airflow/pull/37290Broken Link
- https://github.com/apache/airflow/pull/37468Issue Tracking
- https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5Mailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2024/02/29/1Mailing List
- https://github.com/apache/airflow/pull/37290Broken Link
- https://github.com/apache/airflow/pull/37468Issue Tracking
- https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5Mailing ListVendor Advisory
FAQ
What is CVE-2024-27906?
CVE-2024-27906 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. U...
How severe is CVE-2024-27906?
CVE-2024-27906 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-27906?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Airflow.