Описание
Apache Airflow allows authenticated and DAG-view authorized users to modify some DAG run detail values when submitting notes
Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.3 or later which has removed the vulnerability.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2023-47037
- https://github.com/apache/airflow/pull/33413
- https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad
- https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-232.yaml
- https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0
- http://www.openwall.com/lists/oss-security/2023/11/12/1
Пакеты
apache-airflow
< 2.7.3
2.7.3
EPSS
5.3 Medium
CVSS4
4.3 Medium
CVSS3
CVE ID
Дефекты
Связанные уязвимости
We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.3 or later which has removed the vulnerability.
We failed to applyCVE-2023-40611 in 2.7.1 and this vulnerability was m ...
Уязвимость сетевого программного средства Apache Airflow, связанная с неправильной авторизацией, позволяющая нарушителю изменять произвольные файлы
EPSS
5.3 Medium
CVSS4
4.3 Medium
CVSS3