CVE-2024-45033

CVE-2024-45033 is an Insufficient Session Expiration vulnerability (CWE-613) affecting the Apache Airflow Fab Provider in versions prior to 1.5.2. The issue arises when an administrator changes a user's password using the admin CLI, as the existing sessions for that user are not invalidated. This allows previously authenticated sessions to remain active despite the password update. Notably, the problem is specific to CLI-based password changes and does not occur when passwords are modified via the webserver UI, distinguishing it from the related CVE-2023-40273, which was addressed in Apache Airflow 2.7.0.

A low-privileged remote attacker (PR:L) with network access (AV:N) and an existing valid session can exploit this vulnerability with low complexity (AC:L) and no user interaction required. By maintaining their session after an admin performs a CLI password change—intended to revoke access—the attacker retains unauthorized persistence, potentially achieving high confidentiality (C:H) and integrity (I:H) impacts on the affected user account, with a CVSS v3.1 base score of 8.1.

Apache recommends upgrading to Apache Airflow Fab Provider version 1.5.2, which resolves the session invalidation issue. Additional details are available in the official advisory on the Apache mailing list (https://lists.apache.org/thread/yw535346rk766ybzpqtvrl36sjj789st) and the corresponding GitHub pull request (https://github.com/apache/airflow/pull/45139).