Vulnerabilities > CVE-2023-49920 - Unspecified vulnerability in Apache Airflow

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

apache

NVD

Published: 2023-12-21

Updated: 2024-11-21

Summary

Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent. Users are advised to upgrade to version 2.8.0 or later which is not affected

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Airflow 2.7.0 Apache Airflow 2.7.1 Apache Airflow 2.7.2 Apache Airflow 2.7.3	4

References

http://www.openwall.com/lists/oss-security/2023/12/21/3
http://www.openwall.com/lists/oss-security/2023/12/21/3
https://github.com/apache/airflow/pull/36026
https://github.com/apache/airflow/pull/36026
https://lists.apache.org/thread/mnwd2vcfw3gms6ft6kl951vfbqrxsnjq
https://lists.apache.org/thread/mnwd2vcfw3gms6ft6kl951vfbqrxsnjq