Description

Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged users could continue to be logged in even after the password was changed. This only happened when the password was changed with CLI. The problem does not happen in case change was done with webserver thus this is different from  CVE-2023-40273 https://github.com/advisories/GHSA-pm87-24wq-r8w9  which was addressed in Apache-Airflow 2.7.0 Users are recommended to upgrade to version 1.5.2, which fixes the issue.

INFO

Published Date :

2025-01-08T08:41:39.579Z

Last Modified :

2025-01-08T13:59:37.707Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2024-45033 vulnerability.

Vendors Products
Apache
  • Apache-airflow-providers-fab
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-45033.

URL Resource
https://github.com/apache/airflow/pull/45139 cve-icon cve-icon
https://lists.apache.org/thread/yw535346rk766ybzpqtvrl36sjj789st cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact