CVE-2023-48291

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

21/12/2023

Last modified:

28/12/2023

Description

Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn&#39;t.<br /> <br /> This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2 <br /> <br /> Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 4.30 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): Low
Availability (A): None