Lucene search

[email protected]CVE-2023-22887

HistoryJul 12, 2023 - 10:15 a.m.

CVE-2023-22887

2023-07-1210:15:09

CWE-22

[email protected]

web.nvd.nist.gov

cve-2023-22887

apache airflow

vulnerability

unauthorized file access

nvd

security update

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.2 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

14.7%

JSON

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected

CPENameOperatorVersion
apache:airflowapache airflowlt2.6.3
apache:airflowapache airfloweq1.5.1
apache:airflowapache airfloweq1.0.0
apache:airflowapache airfloweq1.10.1
apache:airflowapache airfloweq2.2.1
apache:airflowapache airfloweq1.10.15
apache:airflowapache airfloweq2.3.0
apache:airflowapache airfloweq2.3.1
apache:airflowapache airfloweq2.6.2
apache:airflowapache airfloweq0.4

CPE	Name	Operator	Version
apache:airflow	apache airflow	lt	2.6.3
apache:airflow	apache airflow	eq	1.5.1
apache:airflow	apache airflow	eq	1.0.0
apache:airflow	apache airflow	eq	1.10.1
apache:airflow	apache airflow	eq	2.2.1
apache:airflow	apache airflow	eq	1.10.15
apache:airflow	apache airflow	eq	2.3.0
apache:airflow	apache airflow	eq	2.3.1
apache:airflow	apache airflow	eq	2.6.2
apache:airflow	apache airflow	eq	0.4