CVE-2023-40273
CVSS 3.1 Score 8.0 of 10 (high)
Details
Summary
CVE-2023-40273 is a session fixation vulnerability in Apache Airflow that allowed authenticated users to maintain access to the webserver even after their password had been reset by an admin. This issue affected the database session backend, and there was no mechanism to force-logout the user or other affected users. With the latest fix, sessions are invalidated when using the database session backend upon password resets. However, sessions remain unchanged with the securecookie session backend, requiring secure key change and webserver restart. Users are advised to upgrade to Apache Airflow version 2.7.0 or newer to mitigate this risk. Documentation has also been updated to reflect these session behavior changes.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Apache Airflow
Affected Vendors
- Apache Software Foundation