You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Jedidiah Cunningham <je...@apache.org> on 2022/10/04 18:29:07 UTC
CVE-2022-41672: Apache Airflow: Session still funtional after user is deactivated
Description:
In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.
Credit:
The Apache Airflow PMC would like to thank Axel Chong (@Haxatron) for reporting this issue.
References:
https://github.com/apache/airflow/pull/26635