Lucene search

Veracode Vulnerability DatabaseVERACODE:43842

HistoryOct 16, 2023 - 1:12 p.m.

Privilege Escalation

2023-10-1613:12:49

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

apache_airflow

vulnerability

privilege escalation

software

permissions

dags

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

41.8%

JSON

apache_airflow is vulnerable to Privilege Escalation. The vulnerability is due to requires_access_decorator function in auth.py which does not check if a user has the required permissions to access certain DAGs. This allows an attacker can manipulate DAGs beyond their permission scope. This can leads to privilege escalation.

CPENameOperatorVersion
apache-airflowle2.7.1
apache-airflowle2.7.1

CPE	Name	Operator	Version
	apache-airflow	le	2.7.1
	apache-airflow	le	2.7.1

References

www.openwall.com/lists/oss-security/2023/12/21/1

github.com/apache/airflow/commit/4f1b500c47813c54349b7d3e48df0a444fb4826c

github.com/apache/airflow/pull/34366

lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

41.8%

JSON

Related for VERACODE:43842