Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 21 Dec 2023 07:05:04 +0000
From: Ephraim Anierobi <ephraimanierobi@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-49920: Apache Airflow: Missing CSRF protection on
 DAG/trigger 

Severity: moderate

Affected versions:

- Apache Airflow 2.7.0 before 2.8.0

Description:

Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent.
Users are advised to upgrade to version 2.8.0 or later which is not affected

Credit:

Tareq Ahamed ( 0xt4req) (finder)
Jens Scheffler (remediation developer)

References:

https://github.com/apache/airflow/pull/36026
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-49920

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.