CVE-2023-49920

Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation.As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent.
Users are advised to upgrade to version 2.8.0 or later which is not affected
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
VendorProductVersion
apacheairflow
2.7.0 ≤
𝑥
≤ 2.7.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2023/12/21/3
https://github.com/apache/airflow/pull/36026
https://lists.apache.org/thread/mnwd2vcfw3gms6ft6kl951vfbqrxsnjq
http://www.openwall.com/lists/oss-security/2023/12/21/3
https://github.com/apache/airflow/pull/36026
https://lists.apache.org/thread/mnwd2vcfw3gms6ft6kl951vfbqrxsnjq