Cyber Resilience

CVE-2024-45033

High

Published: 08 January 2025

Published
08 January 2025
Modified
03 June 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0136 80.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45033 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Apache Apache-Airflow-Providers-Fab. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked in the top 19.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-45033 is an Insufficient Session Expiration vulnerability (CWE-613) affecting the Apache Airflow Fab Provider in versions prior to 1.5.2. The issue arises when an administrator changes a user's password using the admin CLI, as the existing sessions for that user are not invalidated. This allows previously authenticated sessions to remain active despite the password update. Notably, the problem is specific to CLI-based password changes and does not occur when passwords are modified via the webserver UI, distinguishing it from the related CVE-2023-40273, which was addressed in Apache Airflow 2.7.0.

A low-privileged remote attacker (PR:L) with network access (AV:N) and an existing valid session can exploit this vulnerability with low complexity (AC:L) and no user interaction required. By maintaining their session after an admin performs a CLI password change—intended to revoke access—the attacker retains unauthorized persistence, potentially achieving high confidentiality (C:H) and integrity (I:H) impacts on the affected user account, with a CVSS v3.1 base score of 8.1.

Apache recommends upgrading to Apache Airflow Fab Provider version 1.5.2, which resolves the session invalidation issue. Additional details are available in the official advisory on the Apache mailing list (https://lists.apache.org/thread/yw535346rk766ybzpqtvrl36sjj789st) and the corresponding GitHub pull request (https://github.com/apache/airflow/pull/45139).

EU & UK References

Vulnerability details

Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session…

more

expiration, thus logged users could continue to be logged in even after the password was changed. This only happened when the password was changed with CLI. The problem does not happen in case change was done with webserver thus this is different from CVE-2023-40273 https://github.com/advisories/GHSA-pm87-24wq-r8w9 which was addressed in Apache-Airflow 2.7.0 Users are recommended to upgrade to version 1.5.2, which fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

Vulnerability allows persistent use of valid web sessions after password change via CLI, directly enabling continued access with Valid Accounts (T1078) and Web Session Cookies (T1550.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-57735Same vendor: Apache
CVE-2024-13280Shared CWE-613
CVE-2025-62235Same vendor: Apache
CVE-2025-36376Shared CWE-613
CVE-2026-29092Shared CWE-613
CVE-2026-23906Same vendor: Apache
CVE-2026-31987Same vendor: Apache
CVE-2025-56643Shared CWE-613
CVE-2026-41604Same vendor: Apache
CVE-2026-46586Same vendor: Apache

Affected Assets

apache
apache-airflow-providers-fab
≤ 1.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires termination of user sessions upon organization-defined trigger events such as password changes, addressing the failure to invalidate sessions after CLI password updates.

prevent

Mandates timely remediation of identified flaws, such as patching Apache Airflow Fab Provider to version 1.5.2 to fix the session invalidation issue.

prevent

Requires management of account changes including password updates with procedures to ensure associated access like sessions is appropriately revoked.

References