CVE-2023-37379

CWE-200Information ExposureCWE-400Uncontrolled Resource ConsumptionCWE-918Server-Side Request Forgery (SSRF)5 documents4 sources
Severity
8.1HIGH
EPSS
0.2%
top 60.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache AirflowApache Airflow
Timeline
PublishedAug 23

Description

Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server. Users of Apache Airflow are

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

NVDapache/airflow< 2.7.0
PyPIapache-airflow< 2.7.0b1+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
Apache Airflow denial of service vulnerability2023-08-23
CVEList
Apache Airflow: Exposure of sensitive connection information, DOS and SSRF on "test connection" feature2023-08-23
OSV
CVE-2023-37379: Apache Airflow, in versions prior to 22023-08-23
OSV
Apache Airflow denial of service vulnerability2023-08-23
CVE-2023-37379 (HIGH CVSS 8.1) | Apache Airflow | cvebase.io