Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02eHdmLXh2ZjMtdjQ1Oc4AA5rU

Apache Airflow: Incorrect Default Permissions in audit logs for Ops and Viewers users

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

Permalink: https://github.com/advisories/GHSA-6xwf-xvf3-v459
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02eHdmLXh2ZjMtdjQ1Oc4AA5rU
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 months ago
Updated: 17 days ago

Identifiers: GHSA-6xwf-xvf3-v459, CVE-2024-26280
References:

Repository: https://github.com/apache/airflow
Blast Radius: 0.0

Affected Packages

pypi:apache-airflow

Dependent packages: 265
Dependent repositories: 1,554
Downloads: 24,276,743 last month
Affected Version Ranges: < 2.8.2
Fixed in: 2.8.2
All affected versions: 1.8.1, 1.8.2, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.10.12, 1.10.13, 1.10.14, 1.10.15, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1
All unaffected versions: 2.8.2, 2.8.3, 2.8.4, 2.9.0