Login Sign Up

CVE-2024-42447

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in Apache Airflow's FAB provider prevents users from logging out, potentially allowing unauthorized access to sessions. It affects Airflow installations using FAB provider versions 1.2.0 or 1.2.1 (specifically with Airflow 2.9.3). Attackers could hijack active sessions to gain unauthorized access to Airflow instances.

💻 Affected Systems

Products:
  • Apache Airflow
  • Apache Airflow Providers FAB
Versions: FAB provider 1.2.0 (all Airflow versions), FAB provider 1.2.1 (only with Airflow 2.9.3)
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Early Airflow 2.9.3 container images and constraint files included vulnerable FAB 1.2.1 version.

📦 What is this software?

Apache Airflow Providers Fab by Apache

View all CVEs affecting Apache Airflow Providers Fab →

Apache Airflow Providers Fab by Apache

View all CVEs affecting Apache Airflow Providers Fab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain persistent access to Airflow admin interfaces, potentially compromising data pipelines, stealing credentials, or disrupting critical workflows.

🟠

Likely Case

Unauthorized users maintain access to Airflow UI after legitimate users think they've logged out, leading to data exposure and privilege escalation.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the Airflow instance itself rather than broader infrastructure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to an active session, but logout prevention makes session hijacking easier.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Airflow Providers FAB 1.2.2

Vendor Advisory: https://lists.apache.org/thread/2zoo8cjlwfjhbfdxfgltcm0hnc0qmc52

Restart Required: Yes

Instructions:

1. Upgrade to FAB provider 1.2.2 using pip: 'pip install --upgrade apache-airflow-providers-fab==1.2.2' 2. Restart Airflow services 3. For container deployments, pull latest Airflow images or rebuild with updated constraints

🔧 Temporary Workarounds

Force session timeout

all

Configure shorter session timeouts to limit exposure

Set AIRFLOW__WEBSERVER__SESSION_LIFETIME_MINUTES to lower value in airflow.cfg

🧯 If You Can't Patch

  • Implement network segmentation to restrict Airflow access to trusted users only
  • Monitor for unusual session activity and implement additional authentication layers

🔍 How to Verify

Check if Vulnerable:

Check FAB provider version: 'pip show apache-airflow-providers-fab' and verify if using 1.2.0 or 1.2.1 (with Airflow 2.9.3)

Check Version:

pip show apache-airflow-providers-fab | grep Version

Verify Fix Applied:

Confirm FAB provider version is 1.2.2 or higher and test logout functionality

📡 Detection & Monitoring

Log Indicators:

  • Failed logout attempts
  • Unusually long session durations
  • Multiple sessions from same user

Network Indicators:

  • Repeated authentication requests without logout events

SIEM Query:

source="airflow" AND (event="logout_failed" OR session_duration>24h)

📊 Metadata

CVE ID: CVE-2024-42447
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-613
Published: August 5, 2024
Last Updated: March 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42447, you might also want to check these:

CVE-2024-8888 10.0

An attacker on the same network as a vulnerable CIRCUTOR Q-SMT device can steal authentication token...

Same vulnerability type (CWE-613)
CVE-2023-5865 9.8

This vulnerability in phpMyFAQ allows attackers to maintain access to user sessions beyond intended ...

Same vulnerability type (CWE-613)
CVE-2024-25718 9.8

This vulnerability in the Samly package for Elixir allows expired authentication sessions to remain ...

Same vulnerability type (CWE-613)