oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-42781: Apache Airflow: Permission verification bypass allows viewing dagruns of other dags

From: Ephraim Anierobi <ephraimanierobi () apache org>
Date: Sun, 12 Nov 2023 11:11:12 +0000
Severity: low

Affected versions:

- Apache Airflow before 2.7.3

Description:

Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read 
specific DAGs only, to read information about task instances in other DAGs.  This is a different issue than 
CVE-2023-42663 but leading to similar outcome.
Users of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this 
vulnerability.

Credit:

balis0ng (finder)
Hussein Awala (remediation developer)

References:

https://github.com/apache/airflow/pull/34939
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-42781
Previous By Date Next
Previous By Thread Next

Current thread: