CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
48.8%
apache_airflow is vulnerable to Incorrect Authorization. The vulnerability is caused by a missing read only validation rule for all the fields (e.g: start_date
, end_date
, run_id
,dag_id
, state
) except note
field while editing/modifying DAG (Directed Acyclic Graph) run detail values. This can lead to authenticated and DAG-view authorized Users to alter DAG run details such as configuration parameters, start date, etc. when submitting notes.