Lucene search

Veracode Vulnerability DatabaseVERACODE:43832

HistoryOct 16, 2023 - 7:44 a.m.

Information Disclosure

2023-10-1607:44:11

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

apache airflow

information disclosure

vulnerability

authenticated users

directed acyclic graphs

dags

permissions

sensitive information

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

16.0%

JSON

Apache Airflow is vulnerable to Information Disclosure. The vulnerability is due to a flaw that permits authenticated users to list warnings for all Directed Acyclic Graphs (DAG’s) regardless of their permissions to access such DAG’s. This leads to exposure of sensitive information such as dag_ids and the stack-traces.

CPENameOperatorVersion
apache-airflowle2.7.1
apache-airflowle2.7.1

CPE	Name	Operator	Version
	apache-airflow	le	2.7.1
	apache-airflow	le	2.7.1

References

github.com/apache/airflow/commit/cf4eb3fb9b5cf4a8369b890e39523d4c05eed161

github.com/apache/airflow/pull/34355

lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

16.0%

JSON

Related for VERACODE:43832