BIT-airflow-2023-42792
Privilege Escalation vulnerability in apache-airflow (PyPI)
What is BIT-airflow-2023-42792 About?
This vulnerability in Apache Airflow allows an authenticated user with limited DAG access to escalate their privileges. By crafting a specific request, they can gain write access to DAG resources they shouldn't control, leading to unauthorized modification or deletion of DAGs. The ease of exploitation is moderate, requiring an existing user account and knowledge of the system's request structure.
Affected Software
Technical Details
The vulnerability exists in Apache Airflow versions prior to 2.7.2. An authenticated user, despite having limited access to a subset of DAGs, can exploit a flaw in the system's access control or request processing. By crafting a specially designed request, this user can bypass the intended access restrictions. This crafted request manipulates the application's logic to grant the user write permissions over various DAG resources that they were not originally authorized to interact with. This effectively allows the user to perform actions like clearing or modifying DAGs that fall outside their assigned access scope.
What is the Impact of BIT-airflow-2023-42792?
Successful exploitation may allow attackers to modify or delete critical data, escalate privileges within the application, disrupt standard operations, or compromise the integrity of automated workflows.
What is the Exploitability of BIT-airflow-2023-42792?
Exploitation requires an authenticated user account with at least some limited access to DAGs within Apache Airflow. No root or administrative privileges are needed for the initial access, as the vulnerability is a privilege escalation rather than an unauthenticated bypass. The attack is remote, performed via the web interface. The complexity of crafting the specific request to achieve write access to unauthorized DAGs is moderate, requiring an understanding of Airflow's API and how requests are processed. The lack of proper validation on crafted requests is the primary enabler. Increased risk factors include environments with many users with varying access levels and a complex DAG structure.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-airflow-2023-42792?
Available Upgrade Options
- apache-airflow
- <2.7.2 → Upgrade to 2.7.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq
- http://www.openwall.com/lists/oss-security/2023/12/21/1
- https://lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq
- https://github.com/apache/airflow/pull/34366
- https://github.com/apache/airflow
- https://nvd.nist.gov/vuln/detail/CVE-2023-42792
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-203.yaml
- https://github.com/apache/airflow/pull/34366
- https://osv.dev/vulnerability/PYSEC-2023-203
- http://www.openwall.com/lists/oss-security/2023/12/21/1
What are Similar Vulnerabilities to BIT-airflow-2023-42792?
Similar Vulnerabilities: CVE-2022-26134 , CVE-2021-27807 , CVE-2020-13936 , CVE-2019-10072 , CVE-2021-38555
