CVE-2023-50783

Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable. This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification. Users are recommended to upgrade to 2.8.0, which fixes this issue

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2023/12/21/4	Mailing List Third Party Advisory
https://github.com/apache/airflow/pull/33932	Patch
https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-12-21 10:15

Updated : 2023-12-28 13:45

NVD link : CVE-2023-50783

Mitre link : CVE-2023-50783

CVE.ORG link : CVE-2023-50783

JSON object : View

Products Affected

apache

airflow

CWE

CWE-284

Improper Access Control

{"id": "CVE-2023-50783", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-12-21T10:15:36.607", "references": [{"url": "http://www.openwall.com/lists/oss-security/2023/12/21/4", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://github.com/apache/airflow/pull/33932", "tags": ["Patch"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable.\nThis flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.\nUsers are recommended to upgrade to 2.8.0, which fixes this issue"}, {"lang": "es", "value": "Apache Airflow, en versiones anteriores a 2.8.0, se ve afectado por una vulnerabilidad que permite a un usuario autenticado sin el permiso de edici\u00f3n de variables actualizar una variable. Este fallo compromete la integridad de la gesti\u00f3n de variables, lo que podr\u00eda provocar modificaciones de datos no autorizadas. Se recomienda a los usuarios actualizar a 2.8.0, que soluciona este problema"}], "lastModified": "2023-12-28T13:45:11.130", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4677EF1A-E179-48BF-98C7-EACB269B0BDD", "versionEndExcluding": "2.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}