CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-27906: Apache Airflow: Dag Code and Import Error Permissions Ignored

Description

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

Classification

CVE ID: CVE-2024-27906

Affected Products

Vendor: Apache Software Foundation

Product: Apache Airflow

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.39% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://github.com/apache/airflow/pull/37290
https://github.com/apache/airflow/pull/37468
https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5
http://www.openwall.com/lists/oss-security/2024/02/29/1

Timeline

2025-02-14 00:31:48 UTC
CVE

Apache Airflow: Dag Code and Import Error Permissions Ignored