PT-2023-6914 · Apache · Apache Airflow

Augusto Hidalgo

Publicado

2023-11-12

Atualizado

2024-03-06

CVE-2023-47037

CVSS v4.0

5.3

Média

Vetor

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 2.7.3

Description The issue allows authenticated and DAG-view authorized users to modify some DAG run detail values when submitting notes, potentially altering details such as configuration parameters and start dates. This is related to improper authorization in the Apache Airflow network programming tool.

Recommendations For versions prior to 2.7.3, upgrade to version 2.7.3 or later, which has removed the vulnerability. As a temporary workaround, consider restricting access to modify DAG run details for authenticated and DAG-view authorized users until the upgrade is applied.

Correção

DoS

Incorrect Authorization

Improper Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-863CWE-285

Identificadores relacionados

BDU:2023-07932

BIT-AIRFLOW-2023-47037

CVE-2023-47037

GHSA-HM9R-7F84-25C9

PYSEC-2023-232

Produtos afetados

Apache Airflow

PT-2023-6914 · Apache · Apache Airflow

CVE-2023-47037

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 17