CVE-2024-27906 - Security Vulnerability in Apache Airflow Versions Prior to 2.8.2: Unauthorized Access to DAG Code and Import Errors

Apache Airflow is a popular open-source platform designed for managing, orchestrating, scheduling, and monitoring workflows. Regrettably, a security vulnerability (CVE-2024-27906) has been discovered in versions of Apache Airflow prior to 2.8.2. This vulnerability allows authenticated users to view Directed Acyclic Graph (DAG) code and import errors for DAGs they do not have permission to view through the Application Programming Interface (API) and the User Interface (UI). To mitigate the risk associated with this vulnerability, users of Apache Airflow are encouraged to upgrade to version 2.8.2 or later.

In this post, we will provide a detailed explanation of the security vulnerability, useful code snippets that can be used to demonstrate the issue, and links to original references. Our primary objective is to raise awareness of this vulnerability and encourage affected users to patch their systems promptly.

Exploit Details

Due to insufficient access controls, this vulnerability allows an authenticated user with lesser permissions to view DAG code and import errors of DAGs they should not have access to. This issue poses a significant risk, as it can potentially reveal sensitive information, intellectual property, or lead to unauthorized changes in the workflow.

The problem exists in the API layer and UI layer. The following code snippets demonstrate the vulnerability in the API and UI endpoints:

API Code Snippet

# Unauthorized access to DAG code
@app.route('/api/dag_code', methods=['GET'])
@authenticated
def api_dag_code():
    dag_id = request.args.get('dag_id')
    dag_code = get_dag_code(dag_id) # No permission check
    return jsonify({'dag_code': dag_code})

UI Code Snippet

# Unauthorized access to DAG import_error
@app.route('/dag_import_error', methods=['GET'])
@authenticated
def dag_import_error():
    dag_id = request.args.get('dag_id')
    import_error = get_import_error(dag_id) # No permission check
    return jsonify({'import_error': import_error})

As shown above, the code snippets highlight that there is no permission check in place before retrieving the DAG code or import_error information.

Mitigation and Patch

The Apache Airflow project has responsibly addressed the vulnerability and released a patch in version 2.8.2 that addresses the associated risks. The patch adds proper permission checks for accessing DAG code and import_error information.

We recommend all users of Apache Airflow to upgrade their installations to version 2.8.2 or newer as soon as possible:

pip install 'apache-airflow==2.8.2'

Or, alternatively

pip install --upgrade apache-airflow

References and Additional Information

1. Official Apache Airflow GitHub Repository: https://github.com/apache/airflow
2. Apache Airflow CVE-2024-27906 Advisory: https://airflow.apache.org/docs/stable/security.html#cve-2024-27906
3. National Vulnerability Database Entry for CVE-2024-27906: https://nvd.nist.gov/vuln/detail/CVE-2024-27906

Conclusion

Security vulnerabilities like CVE-2024-27906 highlight the importance of continually updating software to the latest versions and applying security patches as they become available. By upgrading to Apache Airflow v2.8.2 or newer, users can mitigate the risks associated with this vulnerability and better protect their sensitive data and workflow integrity.

Timeline

Published on: 02/29/2024 11:15:08 UTC
Last modified on: 11/25/2024 16:15:12 UTC