Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-47037

We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.3 or later which has removed the vulnerability.

Published

2023-11-12T14:15:25.980

Last Modified

2025-02-13T18:15:37.967

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

Weaknesses

Type: Primary
CWE-863

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	airflow	< 2.7.3	Yes

References

http://www.openwall.com/lists/oss-security/2023/11/12/1 Mailing List, Third Party Advisory ([email protected])
https://github.com/apache/airflow/pull/33413 Issue Tracking, Patch ([email protected])
https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0 Mailing List ([email protected])
http://www.openwall.com/lists/oss-security/2023/11/12/1 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/apache/airflow/pull/33413 Issue Tracking, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0 Mailing List (af854a3a-2127-422b-91ae-364da2661108)