CVE-2023-22887

CWE-22Path Traversal5 documents4 sources
Severity
6.5MEDIUM
EPSS
0.5%
top 35.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache AirflowApache Airflow
Timeline
PublishedJul 12

Description

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

NVDapache/airflow< 2.6.3
PyPIapache-airflow< 2.6.3

Patches

Patch: github.comPatch: lists.apache.orgPatch: github.com

🔴Vulnerability Details

4
OSV
Apache Airflow Path Traversal vulnerability2023-07-12
CVEList
Apache Airflow path traversal by authenticated user2023-07-12
GHSA
Apache Airflow Path Traversal vulnerability2023-07-12
OSV
CVE-2023-22887: Apache Airflow, versions before 22023-07-12
CVE-2023-22887 (MEDIUM CVSS 6.5) | Apache Airflow | cvebase.io