CVE-2024-45033
📋 TL;DR
This vulnerability allows users to maintain active sessions even after their passwords have been changed via CLI, potentially enabling unauthorized access. It affects Apache Airflow Fab Provider installations before version 1.5.2. Only password changes made through the command-line interface trigger this issue, not those made via the web interface.
💻 Affected Systems
- Apache Airflow Fab Provider
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker who obtains valid user credentials could maintain persistent access even after the legitimate user changes their password, potentially leading to data theft, privilege escalation, or system compromise.
Likely Case
Legitimate users who have had their passwords changed by administrators via CLI could retain access unintentionally, creating compliance issues and potential insider threats.
If Mitigated
With proper monitoring and session management controls, the impact is limited to temporary access persistence until sessions naturally expire.
🎯 Exploit Status
Requires existing user credentials and knowledge of CLI password changes. Exploitation depends on timing and access to active sessions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.2
Vendor Advisory: https://lists.apache.org/thread/yw535346rk766ybzpqtvrl36sjj789st
Restart Required: No
Instructions:
1. Backup your current configuration. 2. Upgrade Apache Airflow Fab Provider to version 1.5.2 using pip: 'pip install --upgrade apache-airflow-providers-fab==1.5.2'. 3. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Manual Session Invalidation
allManually invalidate all user sessions after CLI password changes by restarting the Airflow webserver or clearing session storage.
systemctl restart airflow-webserver
airflow db clean --clean-before-timestamp 'YYYY-MM-DD'
Disable CLI Password Changes
allRestrict password changes to the web interface only by removing CLI password change permissions from non-admin users.
🧯 If You Can't Patch
- Implement mandatory session timeout policies to force re-authentication at regular intervals
- Monitor and alert on CLI password change events followed by continued user activity
🔍 How to Verify
Check if Vulnerable:
Check installed version of apache-airflow-providers-fab package: 'pip show apache-airflow-providers-fab' and verify version is below 1.5.2.Check Version:
pip show apache-airflow-providers-fab | grep VersionVerify Fix Applied:
After upgrade, confirm version is 1.5.2 or higher: 'pip show apache-airflow-providers-fab | grep Version'. Test by changing a user password via CLI and verifying existing sessions are terminated.📡 Detection & Monitoring
Log Indicators:
- CLI password change events without corresponding session termination logs
- User activity continuing after password change timestamps
- Multiple active sessions for same user after password reset
Network Indicators:
- Unusual authentication patterns
- Session persistence beyond expected lifetimes
SIEM Query:
source="airflow" (event="password_change" AND method="CLI") FOLLOWED BY source="airflow" (user=* AND event="authentication_success") WITHIN 24h