Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-39508

Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The "Run Task" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0 This issue affects Apache Airflow: before 2.6.0.

Published

2023-08-05T07:15:43.607

Last Modified

2025-02-13T17:16:53.357

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

Weaknesses

Type: Secondary
CWE-200
CWE-250
Type: Primary
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	airflow	< 2.6.0	Yes

References

http://seclists.org/fulldisclosure/2023/Jul/43 Not Applicable ([email protected])
https://github.com/apache/airflow/pull/29706 Patch, Vendor Advisory ([email protected])
https://lists.apache.org/thread/j2nkjd0zqvtqk85s6ywpx3c35pvzyx15 Mailing List, Vendor Advisory ([email protected])
http://seclists.org/fulldisclosure/2023/Jul/43 Not Applicable (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/apache/airflow/pull/29706 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/j2nkjd0zqvtqk85s6ywpx3c35pvzyx15 Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)