Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jZ3gyLXJybXItang0M84AA2ch
Apache Airflow vulnerable to sensitive information exposure when users list warnings for all DAGs
Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.
Permalink: https://github.com/advisories/GHSA-cgx2-rrmr-jx43JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jZ3gyLXJybXItang0M84AA2ch
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: 3 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-cgx2-rrmr-jx43, CVE-2023-42780
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-42780
- https://github.com/apache/airflow/pull/34355
- https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d
- https://github.com/apache/airflow/commit/cf4eb3fb9b5cf4a8369b890e39523d4c05eed161
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-202.yaml
- https://github.com/advisories/GHSA-cgx2-rrmr-jx43
Blast Radius: 20.7
Affected Packages
pypi:apache-airflow
Dependent packages: 314Dependent repositories: 1,554
Downloads: 30,839,815 last month
Affected Version Ranges: < 2.7.2
Fixed in: 2.7.2
All affected versions: 1.8.1, 1.8.2, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.10.12, 1.10.13, 1.10.14, 1.10.15, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1
All unaffected versions: 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.10.2, 2.10.3