CVE-2023-47037 – Apache Airflow missing fix for CVE-2023-40611 in 2.7.1 (DAG run broken access)
https://notcve.org/view.php?id=CVE-2023-47037
We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.3 or later which has removed the vulnerability. No pudimos aplicar CVE-2023-40611 en 2.7.1 y esta vulnerabilidad se marcó como solucionada en ese momento. Apache Airflow, versiones anteriores a 2.7.3, se ve afectada por una vulnerabilidad que permite a los usuarios autenticados y autorizados para ver DAG modificar algunos valores de detalles de ejecución de DAG al enviar notas. Esto podría hacer que alteren detalles como los parámetros de configuración, la fecha de inicio, etc. • http://www.openwall.com/lists/oss-security/2023/11/12/1 https://github.com/apache/airflow/pull/33413 https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0 • CWE-863: Incorrect Authorization •
CVE-2023-46215 – Apache Airflow Celery provider, Apache Airflow: Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend
https://notcve.org/view.php?id=CVE-2023-46215
Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Note: the vulnerability is about the information exposed in the logs not about accessing the logs. This issue affects Apache Airflow Celery provider: from 3.3.0 through 3.4.0; Apache Airflow: from 1.10.0 through 2.6.3. Users are recommended to upgrade Airflow Celery provider to version 3.4.1 and Apache Airlfow to version 2.7.0 which fixes the issue. Vulnerabilidad de inserción de información confidencial en un archivo de registro en el proveedor de Apache Airflow Celery, Apache Airflow. La información confidencial se registra como texto plano cuando los protocolos rediss, amqp y rpc se utilizan como backend de resultados de Celery. Nota: la vulnerabilidad se refiere a la información expuesta en los registros, no al acceso a los registros. Este problema afecta al proveedor Apache Airflow Celery: desde 3.3.0 hasta 3.4.0; Apache Airflow: desde 1.10.0 hasta 2.6.3. • http://www.openwall.com/lists/oss-security/2023/10/28/1 https://github.com/apache/airflow/pull/34954 https://lists.apache.org/thread/wm1jfmks7r6m7bj0mq4lmw3998svn46n • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2023-46288 – Apache Airflow: Sensitive parameters exposed in API when "non-sensitive-only" configuration is set
https://notcve.org/view.php?id=CVE-2023-46288
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0. Sensitive configuration information has been exposed to authenticated users with the ability to read configuration via Airflow REST API for configuration even when the expose_config option is set to non-sensitive-only. The expose_config option is False by default. It is recommended to upgrade to a version that is not affected if you set expose_config to non-sensitive-only configuration. This is a different error than CVE-2023-45348 which allows authenticated user to retrieve individual configuration values in 2.7.* by specially crafting their request (solved in 2.7.2). Users are recommended to upgrade to version 2.7.2, which fixes the issue and additionally fixes CVE-2023-45348. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en Apache Airflow. • http://www.openwall.com/lists/oss-security/2024/04/17/10 https://github.com/apache/airflow/pull/32261 https://lists.apache.org/thread/yw4vzm0c5lqkwm0bxv6qy03yfd1od4nw • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-42663 – Apache Airflow: Bypass permission verification to view task instances of other dags
https://notcve.org/view.php?id=CVE-2023-42663
Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability. Apache Airflow, en versiones anteriores a la 2.7.2, tiene una vulnerabilidad que permite a un usuario autorizado que tiene acceso para leer solo DAG específicos, leer información sobre instancias de tareas en otros DAG. Se recomienda a los usuarios de Apache Airflow que actualicen a la versión 2.7.2 o posterior para mitigar el riesgo asociado con esta vulnerabilidad. • http://www.openwall.com/lists/oss-security/2023/11/12/2 https://github.com/apache/airflow/pull/34315 https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-42792 – Apache Airflow: Improper access control to DAG resources
https://notcve.org/view.php?id=CVE-2023-42792
Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't. Users of Apache Airflow are strongly advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability. Apache Airflow, en versiones anteriores a la 2.7.2, contiene una vulnerabilidad de seguridad que permite a un usuario autenticado con acceso limitado a algunos DAG crear una solicitud que podría darle al usuario acceso de escritura a varios recursos de DAG para los DAG a los que el usuario no tenía acceso. para, por lo tanto, permitir al usuario borrar DAG que no debería. Se recomienda encarecidamente a los usuarios de Apache Airflow que actualicen a la versión 2.7.2 o posterior para mitigar el riesgo asociado con esta vulnerabilidad. • http://www.openwall.com/lists/oss-security/2023/12/21/1 https://github.com/apache/airflow/pull/34366 https://lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq • CWE-668: Exposure of Resource to Wrong Sphere •