CVE-2023-40273 – This session fixation vulnerability in Apache A... (How to Fix)

Q: What is the severity of CVE-2023-40273?

CVE-2023-40273 has a CVSS score of 8.0 (HIGH). This session fixation vulnerability in Apache Airflow allows authenticated users to maintain access to the webserver even after their password has been reset by an administrator. The vulnerability persists until the user's session expires or manual intervention occurs. All Apache Airflow users with database session backend configurations are affected.

📋 TL;DR

This session fixation vulnerability in Apache Airflow allows authenticated users to maintain access to the webserver even after their password has been reset by an administrator. The vulnerability persists until the user's session expires or manual intervention occurs. All Apache Airflow users with database session backend configurations are affected.

💻 Affected Systems

Products:

Apache Airflow

Versions: Versions before 2.7.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects database session backend configurations. Securecookie session backend requires different remediation.

📦 What is this software?

Airflow by Apache

View all CVEs affecting Airflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A malicious insider or compromised account maintains persistent unauthorized access to Airflow webserver, potentially enabling data exfiltration, privilege escalation, or disruption of data pipeline operations.

🟠

Likely Case

Former employees or users with revoked credentials continue accessing Airflow resources until their sessions naturally expire, leading to unauthorized data access and policy violations.

🟢

If Mitigated

With proper session management and monitoring, unauthorized access is limited to short windows and can be quickly detected and remediated.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires initial authentication but then persists after password reset. Simple to execute once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.0

Vendor Advisory: https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj

Restart Required: Yes

Instructions:

1. Backup your Airflow configuration and databases. 2. Upgrade Apache Airflow to version 2.7.0 or newer using pip: 'pip install --upgrade apache-airflow==2.7.0'. 3. Restart the Airflow webserver and scheduler services. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Manual Session Cleanup

all

Manually delete sessions from the session database for users whose passwords have been reset

DELETE FROM session WHERE user_id = 'affected_user_id';

Secure Key Rotation

all

Change the secure_key in Airflow configuration and restart webserver to invalidate all sessions

Update 'secret_key' in airflow.cfg with new random value
Restart Airflow webserver

🧯 If You Can't Patch

Implement strict session timeout policies and monitor for unusual session durations
Establish manual procedures to clear session database entries immediately after password resets

🔍 How to Verify

Check if Vulnerable:

Check Airflow version: if below 2.7.0 and using database session backend, system is vulnerable

Check Version:

airflow version

Verify Fix Applied:

After upgrade to 2.7.0+, reset a test user password and verify their existing sessions are invalidated

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful access from same user
User accessing resources after documented password reset time

Network Indicators:

Unusual session durations exceeding policy limits
Access from terminated employee accounts

SIEM Query:

source="airflow" (event="password_reset" OR event="user_modified") | join type=left (source="airflow" event="user_login" user=*) | where time_diff > 0

📊 Metadata

CVE ID: CVE-2023-40273

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-384

Published: August 23, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/apache/airflow/pull/33347 Third Party Advisory
https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj Vendor Advisory
https://www.openwall.com/lists/oss-security/2023/08/23/1 Mailing List,Third Party Advisory
https://github.com/apache/airflow/pull/33347 Third Party Advisory
https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj Vendor Advisory
https://www.openwall.com/lists/oss-security/2023/08/23/1 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40273, you might also want to check these: