CVE-2024-26280

{"id": "CVE-2024-26280", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.2}]}, "published": "2024-03-01T11:15:08.123", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/03/01/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://github.com/apache/airflow/pull/37501", "tags": ["Issue Tracking", "Patch"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh", "tags": ["Vendor Advisory", "Mailing List"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/01/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/apache/airflow/pull/37501", "tags": ["Issue Tracking", "Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh", "tags": ["Vendor Advisory", "Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-276"}]}], "descriptions": [{"lang": "en", "value": "Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view.\u00a0With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default.\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability"}, {"lang": "es", "value": "Apache Airflow, versiones anteriores a la 2.8.2, tiene una vulnerabilidad que permite a los usuarios autenticados de Ops y Viewers ver toda la informaci\u00f3n en los registros de auditor\u00eda, incluidos los nombres de dag y los nombres de usuario que no ten\u00edan permiso para ver. Con 2.8.2 y versiones posteriores, los usuarios de Ops y Viewer no tienen permiso de registro de auditor\u00eda de forma predeterminada; se les debe otorgar permisos expl\u00edcitamente para ver los registros. De forma predeterminada, solo los usuarios administradores tienen permiso de registro de auditor\u00eda. Se recomienda a los usuarios de Apache Airflow actualizar a la versi\u00f3n 2.8.2 o posterior para mitigar el riesgo asociado con esta vulnerabilidad."}], "lastModified": "2025-05-13T00:15:21.653", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E2DE39E5-BE9D-45F4-92C2-C99C000F6536", "versionEndExcluding": "2.8.2"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}