CVE-2023-42781

Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. This is a different issue than CVE-2023-42663 but leading to similar outcome. Users of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this vulnerability.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2023/11/12/2	Mailing List Third Party Advisory
https://github.com/apache/airflow/pull/34939	Patch
https://lists.apache.org/thread/7dnl8nszdxqyns57f3dw0sloy5dfl9o1	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-11-12 14:15

Updated : 2023-11-20 19:33

NVD link : CVE-2023-42781

Mitre link : CVE-2023-42781

CVE.ORG link : CVE-2023-42781

JSON object : View

Products Affected

apache

airflow

CWE

NVD-CWE-noinfo CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2023-42781", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-11-12T14:15:25.847", "references": [{"url": "http://www.openwall.com/lists/oss-security/2023/11/12/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://github.com/apache/airflow/pull/34939", "tags": ["Patch"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/7dnl8nszdxqyns57f3dw0sloy5dfl9o1", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.\u00a0 This is a different issue than CVE-2023-42663 but leading to similar outcome.\nUsers of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this vulnerability."}, {"lang": "es", "value": "Apache Airflow, versiones anteriores a la 2.7.3, tiene una vulnerabilidad que permite a un usuario autorizado que tiene acceso para leer solo DAG espec\u00edficos, leer informaci\u00f3n sobre instancias de tareas en otros DAG. Este es un problema diferente al CVE-2023-42663, pero conduce a un resultado similar. Se recomienda a los usuarios de Apache Airflow que actualicen a la versi\u00f3n 2.7.3 o posterior para mitigar el riesgo asociado con esta vulnerabilidad."}], "lastModified": "2023-11-20T19:33:07.527", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D8DE0419-3A7A-4E73-A896-096554A71E34", "versionEndExcluding": "2.7.3"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}