CVE-2024-45033 - Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider: Before 1.5.2

A security vulnerability, identified as CVE-2024-45033, has been discovered in the Apache Airflow Fab Provider affecting versions before 1.5.2. The vulnerability is related to Insufficient Session Expiration when user passwords are changed using the admin CLI. In such cases, existing user sessions are not cleared, allowing users to continue being logged in even after the password was changed. This post will provide more details about the vulnerability, share a code snippet to help understand the issue, and advise on how to mitigate this vulnerability.

Exploit Details

Affected Software: Apache Airflow Fab Provider (< 1.5.2)

CVE ID: CVE-2024-45033

Impact: This vulnerability allows unauthorized access to user accounts even after their passwords have been changed using the admin CLI.

In the affected versions of Apache Airflow Fab Provider, when an administrator changes a user's password using the admin CLI, existing user sessions are not cleared. Consequently, users who were logged in before the password change can continue to access their accounts although their passwords have been changed.

It should be noted that this issue is distinct from CVE-2023-40273 (https://github.com/advisories/GHSA-pm87-24wq-r8w9), which was addressed in Apache Airflow 2.7.. The difference is that CVE-2024-45033 only affects password changes made through the admin CLI and not the web server.

Below is a code snippet to help visualize the issue in Apache Airflow Fab Provider

# Changing a user's password through the admin CLI
airflow fab_change_user_password --user_id <user_id> --new_password <new_password>

# The following function should be called to invalidate active sessions when 
# a user's password is changed, but it's missing in the affected versions 
# of the Apache Airflow Fab Provider:
def clear_user_sessions(user_id):
    # Clear all active sessions for the specified user
    pass

Mitigation

To fix this vulnerability, users should upgrade their Apache Airflow Fab Provider to version 1.5.2, which includes a patch that resolves the issue. You can upgrade to this version by running the following command:

pip install apache-airflow-fab-provider==1.5.2

Conclusion

In conclusion, CVE-2024-45033 is a security vulnerability affecting Apache Airflow Fab Provider versions before 1.5.2. It allows unauthorized access to user accounts due to insufficient session expiration when a user's password is changed through the admin CLI. Users are encouraged to upgrade to version 1.5.2 to mitigate the potential risks associated with this vulnerability.

Timeline

Published on: 01/08/2025 09:15:07 UTC
Last modified on: 01/08/2025 14:15:26 UTC