CVE-2023-42663
Apache Airflow: Bypass permission verification to view task instances of other dags
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.
Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.
Apache Airflow, en versiones anteriores a la 2.7.2, tiene una vulnerabilidad que permite a un usuario autorizado que tiene acceso para leer solo DAG específicos, leer información sobre instancias de tareas en otros DAG. Se recomienda a los usuarios de Apache Airflow que actualicen a la versión 2.7.2 o posterior para mitigar el riesgo asociado con esta vulnerabilidad.
*Credits:
balis0ng, Ephraim Anierobi
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-09-12 CVE Reserved
- 2023-10-14 CVE Published
- 2024-01-21 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2023/11/12/2 | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/apache/airflow/pull/34315 | 2024-01-12 |
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9 | 2024-01-12 |