PT-2023-8381 · Apache · Apache Airflow

0Xt4Req

Published

2023-12-21

Updated

2024-03-06

CVE-2023-49920

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions Apache Airflow versions 2.7.0 through 2.7.3

Description The issue is related to insufficient authentication of executed requests in Apache Airflow, allowing an attacker to trigger a DAG in a GET request without CSRF validation. This could enable a malicious website opened in the same browser as the Airflow UI to trigger the execution of DAGs without the user's consent.

Recommendations For Apache Airflow versions 2.7.0 through 2.7.3, upgrade to version 2.8.0 or later, which is not affected by this issue. As a temporary workaround, consider restricting access to the Airflow UI to minimize the risk of exploitation.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

BDU:2024-00577

BIT-AIRFLOW-2023-49920

CVE-2023-49920

GHSA-6M9R-7WRX-XMR6

PYSEC-2023-266

Affected Products

Apache Airflow

PT-2023-8381 · Apache · Apache Airflow

CVE-2023-49920

Weakness Enumeration

Related Identifiers

Affected Products

References · 21