CVE-2023-39508

Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The "Run Task" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0

This issue affects Apache Airflow: before 2.6.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
apacheairflow
𝑥
< 2.6.0
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
apacheairflow
𝑥
< 2.6.0
ADP
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2023/Jul/43
https://github.com/apache/airflow/pull/29706
https://lists.apache.org/thread/j2nkjd0zqvtqk85s6ywpx3c35pvzyx15
http://seclists.org/fulldisclosure/2023/Jul/43
https://github.com/apache/airflow/pull/29706
https://lists.apache.org/thread/j2nkjd0zqvtqk85s6ywpx3c35pvzyx15