CVE-2024-45033 — Vulnetix

CVE-2024-45033 PUBLISHED CVSS 8.100000381469727 HIGH

Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged users could continue to be logged in even after the password was changed. This only happened when the password was changed with CLI. The problem does not happen in case change was done with webserver thus this is different from CVE-2023-40273 https://github.com/advisories/GHSA-pm87-24wq-r8w9 which was addressed in Apache-Airflow 2.7.0 Users are recommended to upgrade to version 1.5.2, which fixes the issue.

EPSS 1.36% · 80.4th percentile

Risk Scores

CVSS v3.1

8.100000381469727

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score

1.36%

80.4th percentile

Affected Products

Vendor	Product	Versions
apache	apache-airflow-providers-fab	0
PyPI	apache-airflow-providers-fab	0
Apache Software Foundation	Apache Airflow Fab Provider	0

Timeline

CVE Published
Jan 21, 1970 Fix PR Merged
Jan 8, 2025 PoC Published
Jan 8, 2025 PoC Published
Jan 8, 2025 PoC Published
Jan 8, 2025 PoC Published
Jan 8, 2025 PoC Published
Jan 9, 2025 EPSS Score
Jan 25, 2025 EPSS Score
Jan 29, 2025 Coalition ESS Score
Feb 9, 2025 EPSS Score
Feb 25, 2025 EPSS Score

References

https://github.com/apache/airflow/pull/45139 patch
https://lists.apache.org/thread/yw535346rk766ybzpqtvrl36sjj789st vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2024-45033 advisory
https://github.com/apache/airflow package

Open in Interactive Console →