Apache Airflow: Improper access control vulnerability on the "varimport" endpoint
CVE-2023-50783

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 21 December 2023

Summary

Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable. This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification. Users are recommended to upgrade to 2.8.0, which fixes this issue

Affected Version(s)

Apache Airflow 0 < 2.8.0

References

https://github.com/apache/airflow/pull/33932

patch

https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9p...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/12/21/4

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 21, 2023
Vulnerability Reserved
Dec 13, 2023

Credit

balis0ng

Ephraim Anierobi