CVE-2023-42663

Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2023/11/12/2	Mailing List Third Party Advisory
https://github.com/apache/airflow/pull/34315	Patch
https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-10-14 10:15

Updated : 2024-01-12 22:04

NVD link : CVE-2023-42663

Mitre link : CVE-2023-42663

CVE.ORG link : CVE-2023-42663

JSON object : View

Products Affected

apache

airflow

CWE

NVD-CWE-noinfo CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2023-42663", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-10-14T10:15:09.940", "references": [{"url": "http://www.openwall.com/lists/oss-security/2023/11/12/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://github.com/apache/airflow/pull/34315", "tags": ["Patch"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.\nUsers of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.\n\n"}, {"lang": "es", "value": "Apache Airflow, en versiones anteriores a la 2.7.2, tiene una vulnerabilidad que permite a un usuario autorizado que tiene acceso para leer solo DAG espec\u00edficos, leer informaci\u00f3n sobre instancias de tareas en otros DAG. Se recomienda a los usuarios de Apache Airflow que actualicen a la versi\u00f3n 2.7.2 o posterior para mitigar el riesgo asociado con esta vulnerabilidad."}], "lastModified": "2024-01-12T22:04:05.890", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "63233E2B-0359-41A5-A4BA-218F2CC2F778", "versionEndExcluding": "2.7.2"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}