Lucene search
+L

4 matches found

Hacker One
Hacker One
added 2023/12/21 8:39 p.m.34 views

Internet Bug Bounty: CVE-2023-49920: Apache Airflow: Missing CSRF protection on DAG/trigger

A vulnerability in Apache Airflow versions 2.7.0 through 2.7.3 allowed triggering of DAGs without CSRF validation, enabling malicious websites to trigger DAG execution without consent in browsers where a user was logged into Airflow. Users were advised to upgrade to 2.8.0 or later...

6.5CVSS6.3AI score0.01032EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2023/12/21 12:30 p.m.5 views

airflow-clickhouse-plugin (>=1.1.0 <=1.1.0rc2), airgoodies (>=0.0.1a0 <=0.0.4) +6 more potentially affected by CVE-2023-49920 via apache-airflow (>=2.7.1 <=2.7.3)

apache-airflow PYPI version =2.7.1, =1.1.0, =0.0.1a0, =0.1.30, =0.0.1, =0.1.0, =1.2.0, =1.3.4, =1.3.5 Source cves: CVE-2023-49920 Source advisory: OSV:GHSA-6M9R-7WRX-XMR6...

6.5CVSS6.5AI score0.01032EPSS
Exploits0
CVE
CVE
added 2023/12/21 9:27 a.m.69 views

CVE-2023-49920

Apache Airflow (versions 2.7.0–2.7.3) contains a vulnerability where a GET request can trigger DAG executions without CSRF validation due to missing CSRF protection. This allows a malicious site loaded in the same browser as an Airflow UI session to trigger DAGs without user consent. The issue is...

6.5CVSS6.4AI score0.01032EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2023/12/21 9:27 a.m.34 views

CVE-2023-49920 Apache Airflow: Missing CSRF protection on DAG/trigger

Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the executi...

6.7AI score0.01032EPSS
Exploits0References3
Rows per page
Query Builder