CVE-2024-45033
Published: 08 January 2025
Summary
CVE-2024-45033 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Apache Apache-Airflow-Providers-Fab. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 22.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires termination of user sessions upon organization-defined trigger events such as password changes, addressing the failure to invalidate sessions after CLI password updates.
Mandates timely remediation of identified flaws, such as patching Apache Airflow Fab Provider to version 1.5.2 to fix the session invalidation issue.
Requires management of account changes including password updates with procedures to ensure associated access like sessions is appropriately revoked.
NVD Description
Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session…
more
expiration, thus logged users could continue to be logged in even after the password was changed. This only happened when the password was changed with CLI. The problem does not happen in case change was done with webserver thus this is different from CVE-2023-40273 https://github.com/advisories/GHSA-pm87-24wq-r8w9 which was addressed in Apache-Airflow 2.7.0 Users are recommended to upgrade to version 1.5.2, which fixes the issue.
Deeper analysisAI
CVE-2024-45033 is an Insufficient Session Expiration vulnerability (CWE-613) affecting the Apache Airflow Fab Provider in versions prior to 1.5.2. The issue arises when an administrator changes a user's password using the admin CLI, as the existing sessions for that user are not invalidated. This allows previously authenticated sessions to remain active despite the password update. Notably, the problem is specific to CLI-based password changes and does not occur when passwords are modified via the webserver UI, distinguishing it from the related CVE-2023-40273, which was addressed in Apache Airflow 2.7.0.
A low-privileged remote attacker (PR:L) with network access (AV:N) and an existing valid session can exploit this vulnerability with low complexity (AC:L) and no user interaction required. By maintaining their session after an admin performs a CLI password change—intended to revoke access—the attacker retains unauthorized persistence, potentially achieving high confidentiality (C:H) and integrity (I:H) impacts on the affected user account, with a CVSS v3.1 base score of 8.1.
Apache recommends upgrading to Apache Airflow Fab Provider version 1.5.2, which resolves the session invalidation issue. Additional details are available in the official advisory on the Apache mailing list (https://lists.apache.org/thread/yw535346rk766ybzpqtvrl36sjj789st) and the corresponding GitHub pull request (https://github.com/apache/airflow/pull/45139).
Details
- CWE(s)