BIT-airflow-2023-42663
Information Disclosure vulnerability in apache-airflow (PyPI)
What is BIT-airflow-2023-42663 About?
This information disclosure vulnerability in Apache Airflow allows authorized users to access data beyond their designated scope. An authorized user with read access to specific DAGs can read task instance information from other unauthorized DAGs. Exploitation is moderately easy, requiring an authenticated account and crafting specific requests.
Affected Software
Technical Details
Apache Airflow versions prior to 2.7.2 suffer from an information disclosure vulnerability. An authorized user, while granted read access only to a subset of DAGs, can bypass intended access controls to retrieve information about task instances belonging to other DAGs for which they have no explicit authorization. This typically occurs because the API or UI endpoints that serve task instance data fail to sufficiently filter results based on the user's granular DAG permissions. By crafting specific requests, the user can query the system for task instance details (e.g., status, start/end times, logs, configuration) related to DAGs outside their allowed scope, leading to unauthorized data exposure.
What is the Impact of BIT-airflow-2023-42663?
Successful exploitation may allow attackers to gain unauthorized access to sensitive operational data, disclose internal workflow information, or obtain knowledge about the system's scheduling and task execution, potentially aiding further attacks.
What is the Exploitability of BIT-airflow-2023-42663?
Exploitation requires an existing authenticated user account within Apache Airflow, with at least read access to some DAGs. No elevated privileges beyond a standard authorized user are required. The attack is remote, performed via the web interface or API. The complexity is moderate, as it involves understanding how to query the system for task instance information and identifying the parameters that can be manipulated to bypass access restrictions. There are no special technical prerequisites beyond having valid Airflow credentials. Risk factors are increased in environments where sensitive information might be present in task instance logs or metadata, and where users have varying, granulated access permissions that the system fails to enforce consistently.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-airflow-2023-42663?
Available Upgrade Options
- apache-airflow
- <2.7.2 → Upgrade to 2.7.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/airflow/pull/34315
- https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9
- https://github.com/apache/airflow/pull/34315
- https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9
- http://www.openwall.com/lists/oss-security/2023/11/12/2
- https://osv.dev/vulnerability/GHSA-32wr-qqw6-5mfp
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-197.yaml
- https://github.com/apache/airflow
- https://osv.dev/vulnerability/PYSEC-2023-197
- https://nvd.nist.gov/vuln/detail/CVE-2023-42663
What are Similar Vulnerabilities to BIT-airflow-2023-42663?
Similar Vulnerabilities: CVE-2022-26134 , CVE-2021-27807 , CVE-2020-13936 , CVE-2019-10072 , CVE-2021-38555
