CVE-2023-39508

Опубликовано: 05 авг. 2023

Источник: nvd

CVSS3: 8.8

EPSS Низкий

Описание

Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The "Run Task" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0

This issue affects Apache Airflow: before 2.6.0.

Ссылки

http://seclists.org/fulldisclosure/2023/Jul/43
Not Applicable
https://github.com/apache/airflow/pull/29706
Patch
Vendor Advisory
https://lists.apache.org/thread/j2nkjd0zqvtqk85s6ywpx3c35pvzyx15
Mailing List
Vendor Advisory
http://seclists.org/fulldisclosure/2023/Jul/43
Not Applicable
https://github.com/apache/airflow/pull/29706
Patch
Vendor Advisory
https://lists.apache.org/thread/j2nkjd0zqvtqk85s6ywpx3c35pvzyx15
Mailing List
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

Версия до 2.6.0 (исключая)

EPSS

Процентиль: 71%

0.00705

Низкий

8.8 High

CVSS3

Дефекты

CWE-200

NVD-CWE-Other

Связанные уязвимости

CVE-2023-39508

CVSS3: 8.8

debian

больше 2 лет назад

Execution with Unnecessary Privileges, : Exposure of Sensitive Informa ...

GHSA-269x-pg5c-5xgm

CVSS3: 8.8

github

больше 2 лет назад

Apache Airflow Execution with Unnecessary Privileges

BDU:2023-05231

CVSS3: 8.8

fstec

больше 2 лет назад

Уязвимость функции Run Task программного обеспечения создания, мониторинга и оркестрации сценариев обработки данных Airflow, позволяющая нарушителю получить доступ к конфиденциальной информации

EPSS

Процентиль: 71%

0.00705

Низкий

8.8 High

CVSS3

Дефекты

CWE-200

NVD-CWE-Other