Headline
GHSA-3q8r-f3pj-3gc4: Apache Airflow may allow authenticated users who have been deactivated to continue using the UI or API
In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn’t prevent an already authenticated user from being able to continue using the UI or API.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2022-41672
Apache Airflow may allow authenticated users who have been deactivated to continue using the UI or API
Moderate severity GitHub Reviewed Published Oct 7, 2022 • Updated Oct 7, 2022
Package
pip apache-airflow (pip)
Affected versions
< 2.4.1
Description
Related news
CVE-2022-41672: Check user is active by jedcunningham · Pull Request #26635 · apache/airflow
In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.