CVE-2022-29623
CSRF vulnerability in connect-multiparty (npm)
What is CVE-2022-29623 About?
This vulnerability is a CSRF (Cross-Site Request Forgery) flaw in Apache Airflow versions 2.7.0 through 2.7.3. It allows an attacker to trigger DAG execution in a GET request without CSRF validation. This enables malicious websites to trick users into unknowingly executing DAGs in their Airflow UI session.
Affected Software
Technical Details
Apache Airflow, in specified versions, allows for the triggering of Directed Acyclic Graphs (DAGs) via HTTP GET requests, crucially without implementing proper Cross-Site Request Forgery (CSRF) validation. An attacker can craft a malicious website containing an HTML <img> tag, a hidden <iframe>, or a simple <a> tag with its href attribute pointing to a specific Airflow endpoint used to trigger a DAG (e.g., /trigger_dag?dag_id=malicious_dag). If a legitimate Airflow user, who is authenticated and has an active session with the Airflow UI, visits the malicious website, their browser will automatically send the GET request to Airflow. Because Airflow lacks CSRF protection for this endpoint and trusts requests from the user's session, the DAG associated with the request will be executed without the user's explicit consent or knowledge, potentially leading to unintended operations or data manipulation.
What is the Impact of CVE-2022-29623?
Successful exploitation may allow attackers to trigger arbitrary DAGs without user consent, leading to unauthorized actions, data manipulation, resource exhaustion, or other operational disruptions within the Airflow environment.
What is the Exploitability of CVE-2022-29623?
Exploitation of this CSRF vulnerability is moderately complex, requiring knowledge of specific Airflow DAG trigger endpoints and an active, authenticated user session. No direct authentication requirements are needed for the attacker at the time of the attack, as it leverages the victim's existing session. Privilege requirements are dictated by the victim's permissions to trigger DAGs. This is a remote exploitation scenario, where the attacker hosts a malicious website. Special conditions involve the victim being logged into their Airflow UI session and subsequently visiting the attacker's malicious website. The likelihood of exploitation increases if Airflow instances are widely used in organizations and if users frequently operate with active sessions, making them susceptible to social engineering or malicious links.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-29623?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.youtube.com/watch?v=i3xJR-91rrM
- https://www.npmjs.com/package/connect-multiparty
- https://github.com/expressjs/connect-multiparty/releases/tag/2.2.0
- https://osv.dev/vulnerability/GHSA-w2xw-44r3-4v9g
- https://www.npmjs.com/package/connect-multiparty
- https://www.youtube.com/watch?v=i3xJR-91rrM
- https://nvd.nist.gov/vuln/detail/CVE-2022-29623
- https://github.com/expressjs/connect-multiparty
- https://github.com/expressjs/connect-multiparty/releases/tag/2.2.0
What are Similar Vulnerabilities to CVE-2022-29623?
Similar Vulnerabilities: CVE-2022-29241 , CVE-2021-43227 , CVE-2020-25656 , CVE-2019-15829 , CVE-2018-15494
