CVE-2023-39508

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 2.6.0

Description The issue is related to the "Run Task" feature in Apache Airflow, which allows an authenticated user to bypass some restrictions and execute code in the webserver context, as well as access certain DAGs beyond their limitations. This feature is considered dangerous and has been removed entirely in Airflow 2.6.0. The vulnerability can lead to exposure of sensitive information to unauthorized actors.

Recommendations For Apache Airflow versions prior to 2.6.0, consider updating to version 2.6.0 or later, where the "Run Task" feature has been removed entirely. As a temporary workaround, consider disabling the "Run Task" feature to minimize the risk of exploitation. Restrict access to the webserver context and certain DAGs to prevent unauthorized access.