BIT-airflow-2023-35908
Information Disclosure vulnerability in apache-airflow (PyPI)
What is BIT-airflow-2023-35908 About?
This vulnerability in Apache Airflow, affecting versions before 2.6.3, allows unauthorized read access to DAGs through a crafted URL. It enables an attacker to view the contents of DAGs without proper authorization, potentially exposing sensitive workflow logic or data. Exploitation is straightforward, requiring only knowledge of how to craft the URL.
Affected Software
Technical Details
Apache Airflow versions prior to 2.6.3 are vulnerable to unauthorized information disclosure concerning Directed Acyclic Graphs (DAGs). The vulnerability allows a remote attacker to gain read access to the contents of a DAG by crafting a specific URL. This bypasses the intended access control mechanisms. The exposure likely stems from an endpoint that fetches DAG definitions without adequately validating user permissions against the requested DAG ID or path, allowing an unauthenticated or improperly authorized user to directly access the DAG's details via its URL. This could reveal task definitions, parameters, and potentially sensitive logic or configurations embedded within the DAG code.
What is the Impact of BIT-airflow-2023-35908?
Successful exploitation may allow attackers to gain unauthorized read access to DAG definitions, potentially exposing sensitive workflow logic, operational details, and configurations.
What is the Exploitability of BIT-airflow-2023-35908?
Exploitation of this vulnerability is relatively low complexity, requiring the attacker to formulate a specific URL to directly access a DAG. No authentication is required, as the vulnerability explicitly states 'unauthorized read access'. Access is remote, as it involves making a request to the Airflow web interface. The only special condition is the ability to guess or know the name or identifier of a DAG. The risk increases if DAG names are predictable or easily discoverable, and if sensitive information is embedded directly within DAG definitions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-airflow-2023-35908?
Available Upgrade Options
- apache-airflow
- <2.6.3 → Upgrade to 2.6.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/vsflptk5dt30vrfggn96nx87d7zr6yvw
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-119.yaml
- https://github.com/apache/airflow/pull/32014
- https://github.com/apache/airflow/pull/32014
- https://github.com/apache/airflow/commit/ac65b82eeeeaa670e09a83c7da65cbac7e89f8db
- https://github.com/apache/airflow
- https://github.com/apache/airflow/commit/c78e16588ee399f6eaf60425eb1ad7fa6d3fe352
- https://osv.dev/vulnerability/GHSA-2h84-3crq-vgfj
- https://lists.apache.org/thread/vsflptk5dt30vrfggn96nx87d7zr6yvw
- https://nvd.nist.gov/vuln/detail/CVE-2023-35908
What are Similar Vulnerabilities to BIT-airflow-2023-35908?
Similar Vulnerabilities: CVE-2021-41270 , CVE-2022-24329 , CVE-2022-26135 , CVE-2021-36728 , CVE-2020-13945
