CVE-2022-45402
Published: 15 November 2022
Summary
CVE-2022-45402 is a medium-severity Open Redirect (CWE-601) vulnerability in Apache Airflow. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
In Apache Airflow versions prior to 2.4.3, an open redirect vulnerability (CWE-601) existed in the webserver's /login endpoint. The flaw carried a CVSS 3.1 score of 6.1 and allowed manipulation of redirect targets without authentication.
An unauthenticated attacker could craft a malicious link that, when visited by a user, causes the Airflow login flow to redirect the victim to an attacker-controlled site. Successful exploitation could result in limited impacts to confidentiality and integrity through phishing or credential-harvesting pages while requiring user interaction to trigger.
Public advisories and the referenced Apache security lists direct users to upgrade to Airflow 2.4.3 or later; the fix is also available via the merged pull request 27576 that closes the redirect vector in the login handler. The associated EPSS score has remained flat at 0.0636 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-0019
Vulnerability details
In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.