[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] =?UTF-8?Q?CVE-2023-37379=3A_Apache_Airflow=3A_Expo?= =?UTF-8?Q?sure_of_sensitive_conn
From: Ephraim Anierobi <ephraimanierobi () apache ! org>
Date: 2023-08-23 10:33:44
Message-ID: df82d924-d2b9-dabd-7463-de632d8aa201 () apache ! org
[Download RAW message or body]
Severity: moderate
Affected versions:
- Apache Airflow before 2.7.0
Description:
Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be \
exploited by an authenticated user possessing Connection edit privileges. This vulnerability \
allows the user to access connection information and exploit the test connection feature by \
sending many requests, leading to a denial of service (DoS) condition on the server. \
Furthermore, malicious actors can leverage this vulnerability to establish harmful connections \
with the server.
Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate \
the risk associated with this vulnerability. Additionally, administrators are encouraged to \
review and adjust user permissions to restrict access to sensitive functionalities, reducing \
the attack surface.
Credit:
kuteminh11 (finder)
khoabda of Zalo Security Team (finder)
Sayooj B Kumar(Team bi0s & CRED Security team) (finder)
Son Tran from VNPT - VCI (finder)
KmhlYXJ0 (finder)
References:
https://github.com/apache/airflow/pull/32052
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-37379
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic