Multiple vulnerabilities in Apache Airflow
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2023-35908 CVE-2023-22888 CVE-2023-36543 CVE-2022-46651 |
| CWE-ID | CWE-284 CWE-399 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Apache Airflow Web applications / Modules and components for CMS |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU86025
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-35908
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and gain read access to a DAG through the URL.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache Airflow: 0.1 - 2.6.2
External linkshttp://github.com/apache/airflow/pull/32014
http://lists.apache.org/thread/vsflptk5dt30vrfggn96nx87d7zr6yvw
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Resource management error
EUVDB-ID: #VU86029
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-22888
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application. A remote user can cause a service disruption by manipulating the run_id parameter.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache Airflow: 0.1 - 2.6.2
External linkshttp://github.com/apache/airflow/pull/32293
http://lists.apache.org/thread/dnlht2hvm7k81k5tgjtsfmk27c76kq7z
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource management error
EUVDB-ID: #VU86028
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-36543
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application. A remote user can send specially crafted request to the application and make the current request hang, resulting in resource exhaustion leading to denial of service.
Install updates from vendor's website.
Vulnerable software versionsApache Airflow: 0.1 - 2.6.2
External linkshttp://github.com/apache/airflow/pull/32060
http://lists.apache.org/thread/tokfs980504ylgk3cv3hjlnrtbv4tng4
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper access control
EUVDB-ID: #VU86027
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-46651
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in Connection edit view. A remote user can bypass implemented security restrictions and gain unauthorized access to sensitive information.
Install updates from vendor's website.
Vulnerable software versionsApache Airflow: 0.1 - 2.6.2
External linkshttp://github.com/apache/airflow/pull/32309
http://lists.apache.org/thread/n45h3y82og125rnlgt6rbm9szfb6q24d
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
