CVE-2023-42663 – apache-airflow

Package

Manager: pip
Name: apache-airflow
Vulnerable Version: >=0 <2.7.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00489 pctl0.64549

Details

Apache Airflow vulnerable to sensitive information exposure Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user with access to read specific DAGs _only_ to read information about task instances in other DAGs. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.

Metadata

Created: 2023-10-14T12:30:23Z
Modified: 2025-02-13T19:18:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-32wr-qqw6-5mfp/GHSA-32wr-qqw6-5mfp.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-32wr-qqw6-5mfp
Finding: F038
Auto approve: 1