4 matches found
Internet Bug Bounty: CVE-2023-49920: Apache Airflow: Missing CSRF protection on DAG/trigger
A vulnerability in Apache Airflow versions 2.7.0 through 2.7.3 allowed triggering of DAGs without CSRF validation, enabling malicious websites to trigger DAG execution without consent in browsers where a user was logged into Airflow. Users were advised to upgrade to 2.8.0 or later...
airflow-clickhouse-plugin (>=1.1.0 <=1.1.0rc2), airgoodies (>=0.0.1a0 <=0.0.4) +6 more potentially affected by CVE-2023-49920 via apache-airflow (>=2.7.1 <=2.7.3)
apache-airflow PYPI version =2.7.1, =1.1.0, =0.0.1a0, =0.1.30, =0.0.1, =0.1.0, =1.2.0, =1.3.4, =1.3.5 Source cves: CVE-2023-49920 Source advisory: OSV:GHSA-6M9R-7WRX-XMR6...
CVE-2023-49920
Apache Airflow (versions 2.7.0–2.7.3) contains a vulnerability where a GET request can trigger DAG executions without CSRF validation due to missing CSRF protection. This allows a malicious site loaded in the same browser as an Airflow UI session to trigger DAGs without user consent. The issue is...
CVE-2023-49920 Apache Airflow: Missing CSRF protection on DAG/trigger
Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the executi...