You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@airflow.apache.org by Jed Cunningham <je...@apache.org> on 2022/10/04 18:32:59 UTC

CVE-2022-41672: Apache Airflow: Session still functional after user is deactivated

Description:

In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't
prevent an already authenticated user from being able to continue using the
UI or API.

Credit:

The Apache Airflow PMC would like to thank Axel Chong (@Haxatron) for
reporting this issue.

References:

https://github.com/apache/airflow/pull/26635