CVE-2023-22887
Path Traversal vulnerability in apache-airflow (PyPI)
What is CVE-2023-22887 About?
Apache Airflow versions before 2.6.3 are vulnerable to unauthorized file access due to a path traversal vulnerability when manipulating the `run_id` parameter. This allows authenticated users to access files outside the intended directory structure. The vulnerability is considered low severity, but exploitation can lead to information disclosure.
Affected Software
Technical Details
The vulnerability in Apache Airflow (versions before 2.6.3) concerns improper sanitization or validation of the run_id parameter in a way that allows for path traversal. When an authenticated user manipulates the run_id parameter, it's possible to inject directory traversal sequences (e.g., ../, ../../) into file paths that the application constructs or accesses. This allows the attacker to read or potentially write files located outside the intended and restricted directory structure on the Airflow server. The core mechanism is the failure to canonicalize the path derived from run_id before using it in file system operations.
What is the Impact of CVE-2023-22887?
Successful exploitation may allow attackers to read arbitrary files from the server's file system, potentially leading to information disclosure and further compromise.
What is the Exploitability of CVE-2023-22887?
Exploitation of this vulnerability requires an authenticated user to manipulate the run_id parameter. The complexity is low for an authenticated user who understands the flaw. Authentication to the Airflow instance with sufficient privileges to interact with functions modifying run_id is a prerequisite. This is typically a remote exploit. The primary risk factor is an authenticated attacker crafting a malicious run_id to access sensitive files.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-22887?
Available Upgrade Options
- apache-airflow
- <2.6.3 → Upgrade to 2.6.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/rxddqs76r6rkxsg1n24d029zys67qwwo
- https://github.com/apache/airflow/pull/32293
- https://lists.apache.org/thread/rxddqs76r6rkxsg1n24d029zys67qwwo
- https://nvd.nist.gov/vuln/detail/CVE-2023-22887
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-104.yaml
- https://github.com/apache/airflow
- https://osv.dev/vulnerability/PYSEC-2023-104
- https://github.com/apache/airflow/pull/32293
- https://github.com/apache/airflow/commit/8ff7dfbd9e76aa40b04adeb231df3820606f5ba3
- https://osv.dev/vulnerability/GHSA-ggwr-4vr8-g7wv
What are Similar Vulnerabilities to CVE-2023-22887?
Similar Vulnerabilities: CVE-2022-29970 , CVE-2022-44161 , CVE-2022-38743 , CVE-2022-38500 , CVE-2022-34909
