CVE-2024-28746
Apache Airflow: Ignored Airflow Permission
8.1
HIGH
CVSS 3.1
EPSS 0.07%
Description
Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access. Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability
How to fix CVE-2024-28746
To remediate CVE-2024-28746, upgrade the affected package to a fixed version below.
- —upgrade to 2.8.3 or later
- —upgrade to 2.8.3rc1 or later
- —upgrade to 2.8.3rc1 or later
Is CVE-2024-28746 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 2.8.0, < 2.8.3
- >= 2.8.0, < 2.8.3rc1
- >= 2.8.0, < 2.8.3rc1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |