CVE-2023-40611

apache/airflow

on github

Published

September 12, 2023

Severity

CVSS v3:

4.3 MEDIUM

CVSS v2:

N/A

Description

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.1 or later which has removed the vulnerability.

References

https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0
https://github.com/apache/airflow/pull/33413
http://www.openwall.com/lists/oss-security/2023/11/12/1

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:apache:airflow::::::::	n/a	2.7.1	*
cpe:2.3:a:apache:airflow::::::::	n/a	2.7.3	*

External Links

NVD - CVE-2023-40611