GitHub Advisory DatabaseGHSA-HM9R-7F84-25C9Apache Airflow allows authenticated and DAG-view authorized users to modify some DAG run detail values when submitting notes
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
6.2 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
42.9%
Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.3 or later which has removed the vulnerability.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| apache-airflow | lt | 2.7.3 |
References
www.openwall.com/lists/oss-security/2023/11/12/1
github.com/advisories/GHSA-hm9r-7f84-25c9
github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad
github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef
github.com/apache/airflow/pull/33413
github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-232.yaml
lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0
nvd.nist.gov/vuln/detail/CVE-2023-47037
Related
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
6.2 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
42.9%