CVE-2023-39508 — Sensitive Information Exposure in Software Foundation Apache Airflow

CWE-200 — Sensitive Information Exposure CWE-250 — Execution with Unnecessary Privileges5 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.5%

top 34.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedAug 5

Description

Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The "Run Task" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0 This issue affe…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5apache_software_foundation/apache_airflow< 2.6.0

▶NVDapache/airflow< 2.6.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Apache Airflow: Airflow "Run task" feature allows execution with unnecessary priviledges↗2023-08-05

▶

OSV

Apache Airflow Execution with Unnecessary Privileges↗2023-08-05

▶

OSV

CVE-2023-39508: Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache↗2023-08-05

▶

GHSA

Apache Airflow Execution with Unnecessary Privileges↗2023-08-05

▶