Published: June 2024
Affected Package: apache-airflow-providers-fab < 1.5.2
Severity: Medium
Reference: GHSA-x8wv-h3mm-65c4 (GitHub Advisory)
Executive Summary
A session expiration flaw was discovered in the Apache Airflow FAB (Flask AppBuilder) provider that could allow users to remain logged in even after an admin resets their password through the CLI. This bug, tracked as CVE-2024-45033, underscores the importance of correctly clearing user sessions after password changes for security.
This post explains the vulnerability, how to reproduce it, and why you should upgrade to at least 1.5.2 of the provider package. Clear code snippets are provided for those wanting to see it in action.
What’s the Problem?
When an admin changes a user’s password from the CLI, Airflow’s FAB provider failed to expire that user’s active sessions. That means anyone already logged in under that account could stay logged in, even after the password change.
> Note: If the password was changed via the Web UI, sessions would properly expire.
> This bug only affects CLI-based password changes. This is different from CVE-2023-40273.
Patched: 1.5.2 and above
If you’re running Airflow with this provider and using the CLI to manage users, your system could let users continue their sessions after a password change.
Normal Session Expiration
With secure applications, changing a password should immediately log out all current sessions for the user. Otherwise, if an attacker already has a session, they can keep accessing the system.
When an admin used the CLI
airflow users password -u alice -p newpass123
...the command only updated the password hash in the database. It did not clear any of that user's existing sessions in the session store (often this is a database table like ab_user and an associated sessions table).
So, if “Alice” was logged in via web browser, she could stay logged in even after the CLI password change, until her session expired naturally or she logged out manually.
The bug existed because this code path is missing a step
def cli_change_password(username, new_password):
user = User.query.filter_by(username=username).first()
user.password = hash(new_password)
db.session.commit()
# MISSING: Session removal for the user!
`text
Browser A -> logs in as alice / oldpassword (session cookie issued)
Server restarts and sessions are wiped (depending on configuration)
This exposes the system to unwanted risks, especially if an account is suspected of compromise.
Quick Test Script
If you want to try this yourself (in a test environment only!), here’s a Python snippet using requests:
import requests
session = requests.Session()
login_url = "http://localhost:808/login/";
login_data = {"username": "alice", "password": "oldpasswd"}
# Step 1: login, get session cookie
res = session.post(login_url, data=login_data)
print("Logged in. Session:", session.cookies.get_dict())
# Step 2: admin changes password _in different terminal_
# airflow users password -u alice -p 'newpasswd'
# Step 3: try to access index page with old session
res2 = session.get("http://localhost:808/";)
if "Welcome" in res2.text:
print("Session re-used: Password change didn't force logout!")
else:
print("Session terminated: Secure!")
How Did They Fix It?
In 1.5.2, commit diff (replace with actual commit if available) ensures that after changing a password via CLI, Airflow clears all sessions for that user:
Fixed version pseudocode
def cli_change_password(username, new_password):
user = User.query.filter_by(username=username).first()
user.password = hash(new_password)
db.session.commit()
clear_sessions_for_user(user) # <-- This line added
This means any active session becomes instantly invalid after a password reset, as it should.
Official Advisory:
Upstream Fix Discussion:
Related:
CVE-2023-40273 – Web UI password change session fix (since Airflow 2.7.)
Summary Table
| Action | Web UI | CLI (Pre-1.5.2) |
|------------------------------- |-------------- |-----------------|
| Change password | Valid sessions expire | Old sessions remain |
| Security risk? | No | Yes (CVE-2024-45033) |
Conclusion
CVE-2024-45033 is a textbook example of why session management is critical in modern web apps. If you’re managing Airflow users with the CLI, be sure to upgrade your FAB provider to 1.5.2 or higher, ensuring user sessions expire immediately when passwords are changed.
Stay safe, and always test your upgrades!
*Original, exclusive summary by [YourName], 2024.*
Timeline
Published on: 01/08/2025 09:15:07 UTC
Last modified on: 01/08/2025 14:15:26 UTC