CVE-2023-40611

CWE-863Incorrect Authorization7 documents5 sources
Severity
4.3MEDIUM
EPSS
0.1%
top 68.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache AirflowApache Airflow
Timeline
PublishedSep 12
Latest updateNov 29

Description

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.1 or later which has removed the vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

NVDapache/airflow< 2.7.3
PyPIapache-airflow< 2.7.1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
CVEList
Apache Airflow Dag Runs Broken Access Control Vulnerability2023-09-12
GHSA
Apache Airflow Incorrect Authorization vulnerability2023-09-12
OSV
CVE-2023-40611: Apache Airflow, versions before 22023-09-12
OSV
Apache Airflow Incorrect Authorization vulnerability2023-09-12

💬Community

2
HackerOne
CVE-2023-47037: Airflow Broken Access Control Vulnerability2023-11-29
HackerOne
CVE-2023-40611: Apache Airflow Dag Runs Broken Access Control Vulnerability2023-10-27
CVE-2023-40611 (MEDIUM CVSS 4.3) | Apache Airflow | cvebase.io