cnvd - cnvd-2023-70279

CNVD-2023-70279

Vulnerability from cnvd - Published: 2023-09-20

Title

Apache Airflow访问控制错误漏洞（CNVD-2023-70279）

Description

Apache Airflow是美国阿帕奇（Apache）基金会的一套用于创建、管理和监控工作流程的开源平台。该平台具有可扩展和动态监控等特点。 Apache Airflow 2.7.0之前版本存在访问控制错误漏洞，该漏洞源于会话固定，即使管理员重置了用户密码也允许经过身份验证的用户继续访问Airflow网络服务器。攻击者可利用该漏洞继续访问服务器。

Severity

高

Patch Name

Apache Airflow访问控制错误漏洞（CNVD-2023-70279）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj

Reference

https://github.com/apache/airflow/pull/33347

Impacted products

Name
Apache Airflow <=2.7.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-40273",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-40273"
    }
  },
  "description": "Apache Airflow\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u7528\u4e8e\u521b\u5efa\u3001\u7ba1\u7406\u548c\u76d1\u63a7\u5de5\u4f5c\u6d41\u7a0b\u7684\u5f00\u6e90\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u5177\u6709\u53ef\u6269\u5c55\u548c\u52a8\u6001\u76d1\u63a7\u7b49\u7279\u70b9\u3002\n\nApache Airflow 2.7.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4f1a\u8bdd\u56fa\u5b9a\uff0c\u5373\u4f7f\u7ba1\u7406\u5458\u91cd\u7f6e\u4e86\u7528\u6237\u5bc6\u7801\u4e5f\u5141\u8bb8\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u7ee7\u7eed\u8bbf\u95eeAirflow\u7f51\u7edc\u670d\u52a1\u5668\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ee7\u7eed\u8bbf\u95ee\u670d\u52a1\u5668\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-70279",
  "openTime": "2023-09-20",
  "patchDescription": "Apache Airflow\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u7528\u4e8e\u521b\u5efa\u3001\u7ba1\u7406\u548c\u76d1\u63a7\u5de5\u4f5c\u6d41\u7a0b\u7684\u5f00\u6e90\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u5177\u6709\u53ef\u6269\u5c55\u548c\u52a8\u6001\u76d1\u63a7\u7b49\u7279\u70b9\u3002\r\n\r\nApache Airflow 2.7.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4f1a\u8bdd\u56fa\u5b9a\uff0c\u5373\u4f7f\u7ba1\u7406\u5458\u91cd\u7f6e\u4e86\u7528\u6237\u5bc6\u7801\u4e5f\u5141\u8bb8\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u7ee7\u7eed\u8bbf\u95eeAirflow\u7f51\u7edc\u670d\u52a1\u5668\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ee7\u7eed\u8bbf\u95ee\u670d\u52a1\u5668\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Airflow\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2023-70279\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Airflow \u003c=2.7.0"
  },
  "referenceLink": "https://github.com/apache/airflow/pull/33347",
  "serverity": "\u9ad8",
  "submitTime": "2023-08-25",
  "title": "Apache Airflow\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2023-70279\uff09"
}

CVE-2023-40273 (GCVE-0-2023-40273)

Vulnerability from cvelistv5 – Published: 2023-08-23 15:37 – Updated: 2024-09-27 20:29

Summary

The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that). With this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour. Users of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability.

Severity ?

No CVSS data available.

CWE

CWE-384 - Session Fixation

Assigner

apache

References

URL

Tags

	https://github.com/apache/airflow/pull/33347	patch
	https://lists.apache.org/thread/9rdmv8ln4y4ncbyrl…	vendor-advisory
	https://www.openwall.com/lists/oss-security/2023/…

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Airflow	Affected: 0 , < 2.7.0 (semver)

Credits

Yusuf AYDIN (@h1_yusuf) L3yx of Syclover Security Team. Son Tran of VNPT-VCI Thuong Nguyen (@nthuong95)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:31:52.401Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://github.com/apache/airflow/pull/33347"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2023/08/23/1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "airflow",
            "vendor": "apache",
            "versions": [
              {
                "lessThanOrEqual": "2.7.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-40273",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-27T20:28:46.438042Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-27T20:29:59.422Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Airflow",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.7.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Yusuf AYDIN (@h1_yusuf)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "L3yx of Syclover Security Team."
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Son Tran of VNPT-VCI"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Thuong Nguyen (@nthuong95)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for \u003ccode\u003edatabase\u003c/code\u003e\u0026nbsp;session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that).\u003c/p\u003e\u003cp\u003eWith this fix implemented, when using the\u0026nbsp;\u003ccode\u003edatabase\u003c/code\u003e\u0026nbsp;session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the \u003ccode\u003esecurecookie\u003c/code\u003e\u0026nbsp;session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour.\u003c/p\u003eUsers of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability.\u003cbr\u003e"
            }
          ],
          "value": "The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database\u00a0session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that).\n\nWith this fix implemented, when using the\u00a0database\u00a0session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie\u00a0session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour.\n\nUsers of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability.\n"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-384",
              "description": "CWE-384 Session Fixation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-12T06:42:10.576Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/airflow/pull/33347"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2023/08/23/1"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Session fixation in Apache Airflow web interface",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2023-40273",
    "datePublished": "2023-08-23T15:37:49.378Z",
    "dateReserved": "2023-08-13T15:37:41.647Z",
    "dateUpdated": "2024-09-27T20:29:59.422Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2023-70279

CVE-2023-40273 (GCVE-0-2023-40273)

Tags

Sightings

Nomenclature