CVE-2023-40611
Improper Input Validation vulnerability in apache-airflow (PyPI)
What is CVE-2023-40611 About?
This vulnerability allows authenticated and authorized Apache Airflow users to modify DAG run detail values when submitting notes. Attackers can alter critical configuration parameters and start dates, potentially disrupting operations or influencing execution. Exploitation is straightforward for users with the necessary access.
Affected Software
Technical Details
Apache Airflow versions prior to 2.7.1 are susceptible to an improper input validation vulnerability. The issue arises when an authenticated user with DAG-view authorization submits notes on a DAG run. The application fails to adequately validate or sanitize the input provided within these notes, allowing the user to inject or modify values for certain DAG run details. This includes sensitive parameters like configuration settings and the start date. By manipulating the input within the notes submission, the attacker can effectively alter these internal operational parameters of a DAG run, leading to unauthorized changes in its behavior or metadata.
What is the Impact of CVE-2023-40611?
Successful exploitation may allow attackers to unauthorizedly modify DAG run details, potentially disrupting operational workflows, altering system configurations, or corrupting metadata.
What is the Exploitability of CVE-2023-40611?
Exploitation requires an authenticated user with specific authorization to view DAGs. The attacker must interact with the application UI to submit notes, making it an authenticated, local-to-web application attack. The complexity is low as it leverages an existing UI function with missing input validation. There are no special conditions beyond the required user permissions. The risk factor is increased in environments where numerous users have DAG-view authorization, as any such user could potentially exploit this.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-40611?
Available Upgrade Options
- apache-airflow
- <2.7.1 → Upgrade to 2.7.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/airflow/pull/33413
- https://nvd.nist.gov/vuln/detail/CVE-2023-40611
- http://www.openwall.com/lists/oss-security/2023/11/12/1
- https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad
- https://github.com/apache/airflow
- https://github.com/apache/airflow/commit/b7a46c970d638028a4a7643ad000dcee951fb9ef
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-170.yaml
- http://www.openwall.com/lists/oss-security/2023/11/12/1
- https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0
- https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0
What are Similar Vulnerabilities to CVE-2023-40611?
Similar Vulnerabilities: CVE-2021-42060 , CVE-2020-17521 , CVE-2023-45815 , CVE-2022-29462 , CVE-2021-36770
