Home > Vulnerability Database > CVE-2024-27906

Mend.io Vulnerability Database

CVE-2024-27906

Good to know:

Date: February 29, 2024

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

Language: Python

Severity Score

5.9

Related Resources (17)

Url: https://github.com/apache/airflow/pull/37468

Url: https://github.com/apache/airflow/commit/2adbe882e68df0e2b1084bc869616bb01e416aa7

Url: https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-245.yaml

Url: https://github.com/apache/airflow/commit/90255d9d44a649025f588497f6c82177dad48326

Url: https://github.com/apache/airflow

Url: https://github.com/apache/airflow/commit/bc2646be043f71b4d1ab7eefd2af65a60bf919f2

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-27906

Url: https://github.com/apache/airflow/commit/2cb6027280bcf5e2b561f3ee7f55980f6ec4cc3a

Url: http://www.openwall.com/lists/oss-security/2024/02/29/1

Url: https://github.com/apache/airflow/commit/a7fa258ba1c69a18e0f620499625f6026768dc24

Url: https://github.com/apache/airflow/commit/0a95299691e2d6a9b874adfae94d246a7f681ec9

Url: https://github.com/apache/airflow/commit/d944eb0de216d9e1d125fae5ce4af7440154deb4

Url: https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5

Url: https://github.com/apache/airflow/commit/08d25607abe8593ecb90a84e338896bb79692d7b

Url: https://github.com/apache/airflow/commit/9c4defa08268322b9db80123a22d7b56b2063446

Url: https://github.com/apache/airflow/pull/37290

Url: https://www.mend.io/vulnerability-database/CVE-2024-27906

Severity Score

5.9

Weakness Type (CWE)

Exposure of Resource to Wrong Sphere

CWE-668

Missing Authorization

CWE-862

Top Fix

Upgrade Version

Upgrade to version apache-airflow - 2.8.2

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-27906

Good to know:

Date: February 29, 2024

Language: Python

Severity Score

Related Resources (17)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?