Use of Incorrectly-Resolved Name or ReferenceAffected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference through the resource_name() function in permissions.py and the mirrored core permissions module. An attacker can gain global read/edit access to all DAGs by creating or targeting a DAG with the dag_id DAGs and having per-DAG access_control granted on that DAG. The vulnerable resource_name() logic returned the raw dag_id when it matched a reserved resource name, so the valid DAG name DAGs collided with the global all-DAGs permission resource instead of resolving to its own DAG:DAGs resource. As a result, permissions intended for one DAG were applied to the global DAGs resource, exposing every DAG to the lower-privileged user.
Notes
- The issue affects both the FAB auth-manager permissions helper and the mirrored core permissions helper, so deployments using either copy of Airflow’s permission resolution can inherit the same resource-name collision.
How to fix Use of Incorrectly-Resolved Name or Reference? Upgrade apache-airflow-core to version 3.3.0 or higher.
| |