#VU83544 Improper access control in Apache Airflow - CVE-2023-40611,CVE-2023-47037
Published: November 28, 2023
Vulnerability identifier: #VU83544
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-40611,CVE-2023-47037
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache Airflow
Apache Airflow
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote authenticated and DAG-view authorized user can modify some DAG run detail values when submitting notes.
Note, the vulnerability was reported as patched in version 2.7.1, however the vendor has failed to apply it.
Remediation
Install updates from vendor's website.