CVE-2023-48291

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 2.8.0

Description The issue allows an authenticated user with limited access to some DAGs to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus enabling the user to clear DAGs they shouldn't. This is related to a missing fix in Apache Airflow 2.7.2. The vulnerability is also associated with information disclosure in the error data area, which could allow a remote attacker to gain unauthorized access to the database.

Recommendations For Apache Airflow versions prior to 2.8.0, upgrade to version 2.8.0 or newer to mitigate the risk associated with this issue. As a temporary workaround, consider restricting access to sensitive DAG resources until the upgrade is applied. Additionally, monitor user activity and access logs to detect any potential exploitation attempts.