Описание
Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dag_id set to "~" (wildcard for all DAGs). As a result, version metadata of DAGs that the requester is not authorized to access is returned.
Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue.
Ссылки
- Issue Tracking
- Mailing ListThird Party Advisory
- Mailing ListThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 3.0.0 (включая) до 3.1.8 (исключая)
cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
EPSS
Процентиль: 17%
0.00054
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-732
Связанные уязвимости
CVSS3: 6.5
debian
14 дней назад
Apache Airflow versions 3.0.0 through 3.1.7FastAPI DagVersion listing ...
CVSS3: 7.5
github
14 дней назад
Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata
EPSS
Процентиль: 17%
0.00054
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-732