CVE-2023-50944 — Missing Authorization in Software Foundation Apache Airflow

CWE-862 — Missing Authorization6 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 64.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedJan 24

Latest updateMar 12

Description

Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/airflow< 2.8.1

▶CVEListV5apache_software_foundation/apache_airflow< 2.8.1

🔴Vulnerability Details

OSV

Apache Airflow: Bypass permission verification to read code of other dags↗2024-01-24

▶

GHSA

Apache Airflow: Bypass permission verification to read code of other dags↗2024-01-24

▶

CVEList

Apache Airflow: Bypass permission verification to read code of other dags↗2024-01-24

▶

OSV

CVE-2023-50944: Apache Airflow, versions before 2↗2024-01-24

▶

💬Community

HackerOne

Apache Airflow: Bypass permission verification to read code of other dags↗2024-03-12

▶