Apache Airflow <2.7.3: Auth DAGRun Note Write VULN
CVE-2023-47037 Published on November 12, 2023
Apache Airflow missing fix for CVE-2023-40611 in 2.7.1 (DAG run broken access)
We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then.
Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.
Users should upgrade to version 2.7.3 or later which has removed the vulnerability.
Weakness Type
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2023-47037 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2023-47037
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-47037 are published in Apache AirFlow:
Affected Versions
Apache Software Foundation Apache Airflow:- Before 2.7.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.