"Son Tran of VNPT-VCI" also reported this vulnerability but was missed in the announcement. Apologies
On 2023/08/23 10:32:26 Ephraim Anierobi wrote: > Severity: low > > Affected versions: > > - Apache Airflow before 2.7.0 > > Description: > > The session fixation vulnerability allowed the authenticated user to continue > accessing Airflow webserver even after the password of the user has been > reset by the admin - up until the expiry of the session of the user. Other > than manually cleaning the session database (for database session backend), > or changing the secure_key and restarting the webserver, there were no > mechanisms to force-logout the user (and all other users with that). > > With this fix implemented, when using the database session backend, the > existing sessions of the user are invalidated when the password of the user > is reset. When using the securecookie session backend, the sessions are NOT > invalidated and still require changing the secure key and restarting the > webserver (and logging out all other users), but the user resetting the > password is informed about it with a flash message warning displayed in the > UI. Documentation is also updated explaining this behaviour. > > Users of Apache Airflow are advised to upgrade to version 2.7.0 or newer to > mitigate the risk associated with this vulnerability. > > Credit: > > Yusuf AYDIN (@h1_yusuf) (finder) > L3yx of Syclover Security Team. (finder) > > References: > > https://github.com/apache/airflow/pull/33347 > https://airflow.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2023-40273 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
