CVE-2023-50783
Apache Airflow: Improper access control vulnerability on the "varimport" endpoint
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable.
This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.
Users are recommended to upgrade to 2.8.0, which fixes this issue
Apache Airflow, en versiones anteriores a 2.8.0, se ve afectado por una vulnerabilidad que permite a un usuario autenticado sin el permiso de edición de variables actualizar una variable. Este fallo compromete la integridad de la gestión de variables, lo que podría provocar modificaciones de datos no autorizadas. Se recomienda a los usuarios actualizar a 2.8.0, que soluciona este problema
*Credits:
balis0ng, Ephraim Anierobi
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-12-13 CVE Reserved
- 2023-12-21 CVE Published
- 2024-06-27 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-284: Improper Access Control
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2023/12/21/4 | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/apache/airflow/pull/33932 | 2023-12-28 |
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn | 2023-12-28 |