Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1obTlyLTdmODQtMjVjOc4AA3Cv
Apache Airflow allows authenticated and DAG-view authorized users to modify some DAG run detail values when submitting notes
Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.3 or later which has removed the vulnerability.
Permalink: https://github.com/advisories/GHSA-hm9r-7f84-25c9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1obTlyLTdmODQtMjVjOc4AA3Cv
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 16 days ago
Updated: 8 days ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-hm9r-7f84-25c9, CVE-2023-47037
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-47037
- https://github.com/apache/airflow/pull/33413
- https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0
- http://www.openwall.com/lists/oss-security/2023/11/12/1
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-232.yaml
- https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef
- https://github.com/advisories/GHSA-hm9r-7f84-25c9
Affected Packages
pypi:apache-airflow
Versions: < 2.7.3Fixed in: 2.7.3