CVE-2023-40273

CVSS 3.1 Score 8.0 of 10 (high)

Details

Published Aug 23, 2023
Updated: Aug 29, 2023
CWE ID 384

Summary

CVE-2023-40273 is a session fixation vulnerability in Apache Airflow that allowed authenticated users to maintain access to the webserver even after their password had been reset by an admin. This issue affected the database session backend, and there was no mechanism to force-logout the user or other affected users. With the latest fix, sessions are invalidated when using the database session backend upon password resets. However, sessions remain unchanged with the securecookie session backend, requiring secure key change and webserver restart. Users are advised to upgrade to Apache Airflow version 2.7.0 or newer to mitigate this risk. Documentation has also been updated to reflect these session behavior changes.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

  • Apache Airflow

Affected Vendors

  • Apache Software Foundation