Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-40611

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.1 or later which has removed the vulnerability.

Published

2023-09-12T12:15:08.200

Last Modified

2025-06-25T14:15:21.987

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-863
Type: Primary
CWE-863

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	airflow	< 2.7.3	Yes

References

http://www.openwall.com/lists/oss-security/2023/11/12/1 Mailing List, Third Party Advisory ([email protected])
https://github.com/apache/airflow/pull/33413 Patch, Vendor Advisory ([email protected])
https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0 Mailing List, Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2023/11/12/1 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/apache/airflow/pull/33413 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0 Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)