CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
48.8%
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allowsย authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.
Users should upgrade to version 2.7.1 or later which has removed the vulnerability.
www.openwall.com/lists/oss-security/2023/11/12/1
github.com/apache/airflow
github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad
github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef
github.com/apache/airflow/pull/33413
github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-170.yaml
lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0
nvd.nist.gov/vuln/detail/CVE-2023-40611