CVE-2022-38054: Apache Airflow session hijacking vulnerability
The Apache Software Foundation on Friday addressed two [1,2] vulnerabilities in Apache Airflow that a remote attacker to hijack a user’s session.
Tracked as CVE-2022-38054, the flaw affects Apache Airflow versions 2.2.4 through 2.3.3. Apache Airflow could allow a remote attacker to hijack a user’s session, caused by a session fixation flaw in the “database” webserver session backend. By sending a specially crafted request, an attacker could exploit the CVE-2022-38054 flaw to gain access to another user’s session.
Apache Airflow is a platform to programmatically author, schedule, and monitor workflows. Use Airflow to author workflows as directed acyclic graphs (DAGs) of tasks. The Airflow scheduler executes your tasks on an array of workers while following the specified dependencies. Rich command line utilities make performing complex surgeries on DAGs a snap. The rich user interface makes it easy to visualize pipelines running in production, monitor progress, and troubleshoot issues when needed.
The second flaw tracked as CVE-2022-38170, affects all versions of the software prior to 2.3.4. “An insecure umask was configured for numerous Airflow components when running with the `–deamon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver,” Apache Airflow noted.
Kai Zhao and Harry Sintonen have been credited with reporting the vulnerabilities. It’s recommended to upgrade Apache Airflow to the latest version (2.3.4) to mitigate the risk associated with the flaw.