x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2024-27906

[GoVulnBot]

CVE-2024-27906 references github.com/apache/airflow, which may be a Go module.

Description:
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.

Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-27906
• JSON: https://github.com/CVEProject/cvelist/tree/20cd292a8f5469eee9de1991245b5176fa9330a2/2024/27xxx/CVE-2024-27906.json
• fix: Fix permission check on DAGs when access_entity is specified apache/airflow#37290
• fix: Check permissions for ImportError apache/airflow#37468
• web: https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5
• Imported by: https://pkg.go.dev/github.com/apache/airflow?tab=importedby

Cross references:

• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2023-50943 #2473 NOT_GO_CODE
• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2023-50944 #2474 NOT_GO_CODE
• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2023-51702 #2475 NOT_GO_CODE

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/apache/airflow
      vulnerable_at: 1.8.2
      packages:
        - package: Apache Airflow
cves:
    - CVE-2024-27906
references:
    - fix: https://github.com/apache/airflow/pull/37290
    - fix: https://github.com/apache/airflow/pull/37468
    - web: https://lists.apache.org/thread/on4f7t5sqr3vfgp1pvkck79wv7mq9st5

[gopherbot]

Change https://go.dev/cl/569495 mentions this issue: data/excluded: batch add 11 excluded reports