CVE-2023-49920
published 2023-12-21CVE-2023-49920: Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a…
medium6.5CVSS 3.1
AVNACLPRNUIRSUCNIHAN
Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent.
Users are advised to upgrade to version 2.8.0 or later which is not affected
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | airflow | 2.7.0 – 2.7.3 | — |
| apache_software_foundation | apache_airflow | >= 2.7.0 < 2.8.0 | 2.8.0 |