CVE-2023-37379 – Apache Airflow: Exposure of sensitive connection information, DOS and SSRF on "test connection" feature
https://notcve.org/view.php?id=CVE-2023-37379
Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server. Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface. Apache Airflow, en versiones anteriores a la 2.7.0, contiene una vulnerabilidad de seguridad que puede ser explotada por un usuario autenticado que posea privilegios de edición de conexión. • http://www.openwall.com/lists/oss-security/2023/08/23/4 https://github.com/apache/airflow/pull/32052 https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-400: Uncontrolled Resource Consumption CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-40273 – Session fixation in Apache Airflow web interface
https://notcve.org/view.php?id=CVE-2023-40273
The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that). With this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour. Users of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. La vulnerabilidad de fijación de sesión permitía al usuario autenticado seguir accediendo al servidor web de Airflow incluso después de que el administrador hubiera restablecido la contraseña del usuario, hasta la expiración de la sesión del usuario. • https://github.com/apache/airflow/pull/33347 https://lists.apache.org/thread/9rdmv8ln4y4ncbyrlmjrsj903x4l80nj https://www.openwall.com/lists/oss-security/2023/08/23/1 • CWE-384: Session Fixation •
CVE-2023-39508 – Apache Airflow: Airflow "Run task" feature allows execution with unnecessary priviledges
https://notcve.org/view.php?id=CVE-2023-39508
Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The "Run Task" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0 This issue affects Apache Airflow: before 2.6.0. • http://seclists.org/fulldisclosure/2023/Jul/43 https://github.com/apache/airflow/pull/29706 https://lists.apache.org/thread/j2nkjd0zqvtqk85s6ywpx3c35pvzyx15 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-250: Execution with Unnecessary Privileges •
CVE-2023-22888 – Apache Airflow: Scheduler remote DoS
https://notcve.org/view.php?id=CVE-2023-22888
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected • https://github.com/apache/airflow/pull/32293 https://lists.apache.org/thread/dnlht2hvm7k81k5tgjtsfmk27c76kq7z • CWE-20: Improper Input Validation •
CVE-2023-36543 – Apache Airflow: ReDoS via dags function
https://notcve.org/view.php?id=CVE-2023-36543
Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected • https://github.com/apache/airflow/pull/32060 https://lists.apache.org/thread/tokfs980504ylgk3cv3hjlnrtbv4tng4 • CWE-1333: Inefficient Regular Expression Complexity •