Apache Airflow <=2.8.1 Authenticated DAG Source Code Disclosure
CVE-2023-50944 Published on January 24, 2024

Apache Airflow: Bypass permission verification to read code of other dags
Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2023-50944 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

What is an AuthZ Vulnerability?

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

CVE-2023-50944 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2023-50944

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-50944 are published in Apache AirFlow:

Apache AirFlow
 

Affected Versions

Apache Software Foundation Apache Airflow:

Exploit Probability

EPSS
0.19%
Percentile
40.99%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.