Vulnerability	Vulnerable Version
C LDAP Injection apache-airflow-providers-fab is a Provider package apache-airflow-providers-fab for Apache Airflow Affected versions of this package are vulnerable to LDAP Injection through the `_ldap_bind_indirect` and nested group search code in `override.py`. An attacker can manipulate the LDAP username or distinguished name used in the search filters by supplying crafted login input, causing the application to query unintended LDAP entries and authenticate or enumerate accounts incorrectly. This can let an attacker bypass intended LDAP lookup constraints and gain unauthorized access to the Airflow web application. Workarounds Disable LDAP authentication in Airflow FAB Auth Manager until you can upgrade `apache-airflow-providers-fab`; this prevents unauthenticated attackers from abusing LDAP filter injection to exfiltrate directory data or bypass authentication. How to fix LDAP Injection? Upgrade `apache-airflow-providers-fab` to version 3.6.4rc1 or higher.	[,3.6.4rc1)

LDAP Injection

apache-airflow-providers-fab is a Provider package apache-airflow-providers-fab for Apache Airflow

Affected versions of this package are vulnerable to LDAP Injection through the _ldap_bind_indirect and nested group search code in override.py. An attacker can manipulate the LDAP username or distinguished name used in the search filters by supplying crafted login input, causing the application to query unintended LDAP entries and authenticate or enumerate accounts incorrectly. This can let an attacker bypass intended LDAP lookup constraints and gain unauthorized access to the Airflow web application.

Workarounds

Disable LDAP authentication in Airflow FAB Auth Manager until you can upgrade apache-airflow-providers-fab; this prevents unauthenticated attackers from abusing LDAP filter injection to exfiltrate directory data or bypass authentication.

How to fix LDAP Injection?

Upgrade apache-airflow-providers-fab to version 3.6.4rc1 or higher.

[,3.6.4rc1)

Go back to all versions of this package