SB2023071183 - Multiple vulnerabilities in Apache Airflow

Security Bulletin ID SB2023071183

Severity

Medium

Patch available

YES

Number of vulnerabilities 4

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2023-35908)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and gain read access to a DAG through the URL.

2) Resource management error (CVE-ID: CVE-2023-22888)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application. A remote user can cause a service disruption by manipulating the run_id parameter.

3) Resource management error (CVE-ID: CVE-2023-36543)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application. A remote user can send specially crafted request to the application and make the current request hang, resulting in resource exhaustion leading to denial of service.

4) Improper access control (CVE-ID: CVE-2022-46651)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in Connection edit view. A remote user can bypass implemented security restrictions and gain unauthorized access to sensitive information.

Remediation

Install update from vendor's website.

SB2023071183 - Multiple vulnerabilities in Apache Airflow

Breakdown by Severity

Description

Remediation

References