[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] =?UTF-8?Q?CVE-2023-37379=3A_Apache_Airflow=3A_Expo?= =?UTF-8?Q?sure_of_sensitive_conn
From:       Ephraim Anierobi <ephraimanierobi () apache ! org>
Date:       2023-08-23 10:33:44
Message-ID: df82d924-d2b9-dabd-7463-de632d8aa201 () apache ! org
[Download RAW message or body]

Severity: moderate

Affected versions:

- Apache Airflow before 2.7.0

Description:

Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be \
exploited by an authenticated user possessing Connection edit privileges. This vulnerability \
allows the user to access connection information and exploit the test connection feature by \
sending many requests, leading to a denial of service (DoS) condition on the server. \
Furthermore, malicious actors can leverage this vulnerability to establish harmful connections \
with the server.

Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate \
the risk associated with this vulnerability. Additionally, administrators are encouraged to \
review and adjust user permissions to restrict access to sensitive functionalities, reducing \
the attack surface.

Credit:

kuteminh11 (finder)
khoabda of Zalo Security Team (finder)
Sayooj B Kumar(Team bi0s & CRED Security team) (finder)
Son Tran from VNPT - VCI (finder)
KmhlYXJ0 (finder)

References:

https://github.com/apache/airflow/pull/32052
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-37379


[prev in list] [next in list] [prev in thread] [next in thread]