cvelistv5 - cve-2024-26280

Source	URL	Tags
security@apache.org	http://www.openwall.com/lists/oss-security/2024/03/01/1
security@apache.org	https://github.com/apache/airflow/pull/37501
security@apache.org	https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh

Vendor	Product
Apache Software Foundation	Apache Airflow

pysec-2024-42

Vulnerability from pysec

Published

2024-03-01 11:15

Modified

2024-03-01 14:20

Details

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

Aliases

CVE-2024-26280

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow",
        "purl": "pkg:pypi/apache-airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.10.0",
        "1.10.1",
        "1.10.10",
        "1.10.10rc1",
        "1.10.10rc2",
        "1.10.10rc3",
        "1.10.10rc4",
        "1.10.10rc5",
        "1.10.11",
        "1.10.11rc1",
        "1.10.11rc2",
        "1.10.12",
        "1.10.12rc1",
        "1.10.12rc2",
        "1.10.12rc3",
        "1.10.12rc4",
        "1.10.13",
        "1.10.13rc1",
        "1.10.14",
        "1.10.14rc1",
        "1.10.14rc2",
        "1.10.14rc3",
        "1.10.14rc4",
        "1.10.15",
        "1.10.15rc1",
        "1.10.1b1",
        "1.10.1rc2",
        "1.10.2",
        "1.10.2b2",
        "1.10.2rc1",
        "1.10.2rc2",
        "1.10.2rc3",
        "1.10.3",
        "1.10.3b1",
        "1.10.3b2",
        "1.10.3rc1",
        "1.10.3rc2",
        "1.10.4",
        "1.10.4b2",
        "1.10.4rc1",
        "1.10.4rc2",
        "1.10.4rc3",
        "1.10.4rc4",
        "1.10.4rc5",
        "1.10.5",
        "1.10.5rc1",
        "1.10.6",
        "1.10.6rc1",
        "1.10.6rc2",
        "1.10.7",
        "1.10.7rc1",
        "1.10.7rc2",
        "1.10.7rc3",
        "1.10.8",
        "1.10.8rc1",
        "1.10.9",
        "1.10.9rc1",
        "1.8.1",
        "1.8.2",
        "1.8.2rc1",
        "1.9.0",
        "2.0.0",
        "2.0.0b1",
        "2.0.0b2",
        "2.0.0b3",
        "2.0.0rc1",
        "2.0.0rc2",
        "2.0.0rc3",
        "2.0.1",
        "2.0.1rc1",
        "2.0.1rc2",
        "2.0.2",
        "2.0.2rc1",
        "2.1.0",
        "2.1.0rc1",
        "2.1.0rc2",
        "2.1.1",
        "2.1.1rc1",
        "2.1.2",
        "2.1.2rc1",
        "2.1.3",
        "2.1.3rc1",
        "2.1.4",
        "2.1.4rc1",
        "2.1.4rc2",
        "2.2.0",
        "2.2.0b1",
        "2.2.0b2",
        "2.2.0rc1",
        "2.2.1",
        "2.2.1rc1",
        "2.2.1rc2",
        "2.2.2",
        "2.2.2rc1",
        "2.2.2rc2",
        "2.2.3",
        "2.2.3rc1",
        "2.2.3rc2",
        "2.2.4",
        "2.2.4rc1",
        "2.2.5",
        "2.2.5rc1",
        "2.2.5rc2",
        "2.2.5rc3",
        "2.3.0",
        "2.3.0b1",
        "2.3.0rc1",
        "2.3.0rc2",
        "2.3.1",
        "2.3.1rc1",
        "2.3.2",
        "2.3.2rc1",
        "2.3.2rc2",
        "2.3.3",
        "2.3.3rc1",
        "2.3.3rc2",
        "2.3.3rc3",
        "2.3.4",
        "2.3.4rc1",
        "2.4.0",
        "2.4.0b1",
        "2.4.0rc1",
        "2.4.1",
        "2.4.1rc1",
        "2.4.2",
        "2.4.2rc1",
        "2.4.3",
        "2.4.3rc1",
        "2.5.0",
        "2.5.0rc1",
        "2.5.0rc2",
        "2.5.0rc3",
        "2.5.1",
        "2.5.1rc1",
        "2.5.1rc2",
        "2.5.2",
        "2.5.2rc1",
        "2.5.2rc2",
        "2.5.3",
        "2.5.3rc1",
        "2.5.3rc2",
        "2.6.0",
        "2.6.0b1",
        "2.6.0rc1",
        "2.6.0rc2",
        "2.6.0rc3",
        "2.6.0rc4",
        "2.6.0rc5",
        "2.6.1",
        "2.6.1rc1",
        "2.6.1rc2",
        "2.6.1rc3",
        "2.6.2",
        "2.6.2rc1",
        "2.6.2rc2",
        "2.6.3",
        "2.6.3rc1",
        "2.7.0",
        "2.7.0b1",
        "2.7.0rc1",
        "2.7.0rc2",
        "2.7.1",
        "2.7.1rc1",
        "2.7.1rc2",
        "2.7.2",
        "2.7.2rc1",
        "2.7.3",
        "2.7.3rc1",
        "2.8.0",
        "2.8.0b1",
        "2.8.0rc1",
        "2.8.0rc2",
        "2.8.0rc3",
        "2.8.0rc4",
        "2.8.1",
        "2.8.1rc1",
        "2.8.2rc1",
        "2.8.2rc2",
        "2.8.2rc3"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-26280"
  ],
  "details": "Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view.\u00a0With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability",
  "id": "PYSEC-2024-42",
  "modified": "2024-03-01T14:20:34.498842+00:00",
  "published": "2024-03-01T11:15:00+00:00",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/pull/37501"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh"
    }
  ]
}

ghsa-6xwf-xvf3-v459

Vulnerability from github

Published

2024-03-01 12:30

Modified

2024-05-02 14:26

Summary

Apache Airflow: Incorrect Default Permissions in audit logs for Ops and Viewers users

Details

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-26280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-01T21:40:55Z",
    "nvd_published_at": "2024-03-01T11:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view.\u00a0With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability",
  "id": "GHSA-6xwf-xvf3-v459",
  "modified": "2024-05-02T14:26:32Z",
  "published": "2024-03-01T12:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26280"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/pull/37501"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/commit/1a96407cd2d76616c1137de288f092d4f3b097fa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/commit/7f10998c17ab9d725bc8671deb4c12d672bfba99"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/commit/8324c87e05741e5a673c43b315619a3788bacc2e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/commit/8463ee4f25114a6c5fb2408d6026afe94bdf106d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/commit/f2ea8a3e1753012bfe0d529c9c8be66cf55ca28f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/commit/f4b9cc74976b7df1acbc3c63471b5751b3e2c40c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/airflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-42.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/01/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Apache Airflow: Incorrect Default Permissions in audit logs for Ops and Viewers users"
}

gsd-2024-26280

Vulnerability from gsd

Modified

2024-02-16 06:02

Details

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

Aliases

CVE-2024-26280

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-26280"
      ],
      "details": "Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view.\u00a0With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability",
      "id": "GSD-2024-26280",
      "modified": "2024-02-16T06:02:27.284756Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2024-26280",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Airflow",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "2.8.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "Yusuf AYDIN (@h1_yusuf)"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view.\u00a0With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-276",
                "lang": "eng",
                "value": "CWE-276 Incorrect Default Permissions"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/apache/airflow/pull/37501",
            "refsource": "MISC",
            "url": "https://github.com/apache/airflow/pull/37501"
          },
          {
            "name": "https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view.\u00a0With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability"
          },
          {
            "lang": "es",
            "value": "Apache Airflow, versiones anteriores a la 2.8.2, tiene una vulnerabilidad que permite a los usuarios autenticados de Ops y Viewers ver toda la informaci\u00f3n en los registros de auditor\u00eda, incluidos los nombres de dag y los nombres de usuario que no ten\u00edan permiso para ver. Con 2.8.2 y versiones posteriores, los usuarios de Ops y Viewer no tienen permiso de registro de auditor\u00eda de forma predeterminada; se les debe otorgar permisos expl\u00edcitamente para ver los registros. De forma predeterminada, solo los usuarios administradores tienen permiso de registro de auditor\u00eda. Se recomienda a los usuarios de Apache Airflow actualizar a la versi\u00f3n 2.8.2 o posterior para mitigar el riesgo asociado con esta vulnerabilidad."
          }
        ],
        "id": "CVE-2024-26280",
        "lastModified": "2024-03-01T14:04:04.827",
        "metrics": {},
        "published": "2024-03-01T11:15:08.123",
        "references": [
          {
            "source": "security@apache.org",
            "url": "https://github.com/apache/airflow/pull/37501"
          },
          {
            "source": "security@apache.org",
            "url": "https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh"
          }
        ],
        "sourceIdentifier": "security@apache.org",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-276"
              }
            ],
            "source": "security@apache.org",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

Action not permitted

cve-2024-26280

Vulnerability from cvelistv5

pysec-2024-42

Vulnerability from pysec

ghsa-6xwf-xvf3-v459

Vulnerability from github

gsd-2024-26280

Vulnerability from gsd

Tags