CVE-2023-47037Incorrect Authorization in Software Foundation Apache Airflow

CWE-863Incorrect AuthorizationCWE-285Improper Authorization6 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 75.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache AirflowApache Airflow
Timeline
PublishedNov 12
Latest updateNov 29

Description

We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.3 or later which has removed the vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDapache/airflow< 2.7.3

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Apache Airflow allows authenticated and DAG-view authorized users to modify some DAG run detail values when submitting notes2023-11-12
CVEList
Apache Airflow missing fix for CVE-2023-40611 in 2.7.1 (DAG run broken access)2023-11-12
GHSA
Apache Airflow allows authenticated and DAG-view authorized users to modify some DAG run detail values when submitting notes2023-11-12
OSV
CVE-2023-47037: We failed to apply CVE-2023-40611 in 22023-11-12

💬Community

1
HackerOne
CVE-2023-47037: Airflow Broken Access Control Vulnerability2023-11-29
CVE-2023-47037 — Incorrect Authorization | cvebase