High severityNVD Advisory· Published Oct 7, 2022· Updated Aug 3, 2024
Session still functional after user is deactivated
CVE-2022-41672
Description
In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflowPyPI | < 2.4.1rc1 | 2.4.1rc1 |
Affected products
3- osv-coords2 versions
< 2.4.2+ 1 more
- (no CPE)range: < 2.4.2
- (no CPE)range: < 2.4.1rc1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-3q8r-f3pj-3gc4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-41672ghsaADVISORY
- github.com/apache/airflow/commit/12bfb571a895a28a58d3189b0fc10cfc1b89e24cghsaWEB
- github.com/apache/airflow/pull/26635ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-42983.yamlghsaWEB
- lists.apache.org/thread/ohf3pvd3dftb8zb01yngbn1jtkq5m08yghsaWEB
News mentions
0No linked articles in our index yet.