Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02djZ3LWg4bTYtN212Ms4AA5qK

Apache Airflow: DAG Code and Import Error Permissions Ignored

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

Permalink: https://github.com/advisories/GHSA-6v6w-h8m6-7mv2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02djZ3LWg4bTYtN212Ms4AA5qK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 months ago
Updated: 17 days ago

Identifiers: GHSA-6v6w-h8m6-7mv2, CVE-2024-27906
References:

Repository: https://github.com/apache/airflow
Blast Radius: 0.0

Affected Packages

pypi:apache-airflow

Dependent packages: 265
Dependent repositories: 1,554
Downloads: 24,276,743 last month
Affected Version Ranges: <= 2.8.1
Fixed in: 2.8.2
All affected versions: 1.8.1, 1.8.2, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.10.12, 1.10.13, 1.10.14, 1.10.15, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1
All unaffected versions: 2.8.2, 2.8.3, 2.8.4, 2.9.0