CVE-2023-35908 — Incorrect Authorization in Software Foundation Apache Airflow

CWE-863 — Incorrect Authorization5 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 58.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedJul 12

Description

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/airflow< 2.6.3

▶CVEListV5apache_software_foundation/apache_airflow< 2.6.3

Patches

Patch: github.com ↗Patch: lists.apache.org ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Apache Airflow: Access to DAGs without relevant permission↗2023-07-12

▶

OSV

CVE-2023-35908: Apache Airflow, versions before 2↗2023-07-12

▶

OSV

Apache Airflow Incorrect Authorization vulnerability↗2023-07-12

▶

GHSA

Apache Airflow Incorrect Authorization vulnerability↗2023-07-12

▶