CVE-2023-39508 – apache-airflow

Package

Manager: pip
Name: apache-airflow
Vulnerable Version: >=0 <2.6.0b1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00674 pctl0.70547

Details

Apache Airflow Execution with Unnecessary Privileges Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The "Run Task" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0. This issue affects Apache Airflow: before 2.6.0.

Metadata

Created: 2023-08-05T09:30:16Z
Modified: 2025-02-13T19:10:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-269x-pg5c-5xgm/GHSA-269x-pg5c-5xgm.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-269x-pg5c-5xgm
Finding: F310
Auto approve: 1