CVE-2023-42663 — Sensitive Information Exposure in Software Foundation Apache Airflow

CWE-200 — Sensitive Information Exposure7 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.5%

top 36.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedOct 14

Latest updateNov 13

Description

Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/airflow< 2.7.2

▶CVEListV5apache_software_foundation/apache_airflow< 2.7.2+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Apache Airflow vulnerable to Exposure of Sensitive Information to an Unauthorized Actor↗2023-11-12

▶

GHSA

Apache Airflow vulnerable to sensitive information exposure↗2023-10-14

▶

OSV

Apache Airflow vulnerable to sensitive information exposure↗2023-10-14

▶

CVEList

Apache Airflow: Bypass permission verification to view task instances of other dags↗2023-10-14

▶

OSV

CVE-2023-42663: Apache Airflow, versions before 2↗2023-10-14

▶

💬Community

HackerOne

CVE-2023-42663: Apache Airflow: Bypass permission verification to view task instances of other dags↗2023-11-13

▶