Happyhacking

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions before 2.7.1 **Description** The issue allows authenticated and DAG-view authorized users to modify some DAG run detail values when submitting notes, potentially altering details such as configuration parameters and start dates. **Recommendations** For Apache Airflow versions before 2.7.1, users should upgrade to version 2.7.1 or later, which has removed the vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow JDBC Provider versions prior to 4.0.0 **Description** The issue is related to improper input validation in the Apache Airflow JDBC Provider, specifically in the Connection URL parameters of the Airflow JDBC Provider Connection, which had no restrictions. This made it possible to implement Remote Code Execution (RCE) attacks via different types of JDBC drivers, allowing attackers to obtain Airflow server permission. **Recommendations** For versions prior to 4.0.0, update to version 4.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Connection URL parameters to minimize the risk of exploitation. Avoid using the `Connection URL` parameter in the affected Airflow JDBC Provider Connection until the issue is resolved.