oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-39508: Apache Airflow: Airflow "Run task" feature allows execution with unnecessary priviledges

From: Jarek Potiuk <potiuk () apache org>
Date: Fri, 04 Aug 2023 15:24:38 +0000
Severity: moderate

Affected versions:

- Apache Airflow before 2.6.0

Description:

Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in 
Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the 
restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of 
access the user has to certain DAGs. The "Run Task" feature is considered dangerous and it has been removed entirely in 
Airflow 2.6.0

This issue affects Apache Airflow: before 2.6.0.

Credit:

balis0ng (finder)

References:

https://github.com/apache/airflow/pull/29706
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-39508
Previous By Date Next
Previous By Thread Next

Current thread: