CVE-2023-42780
Security Vulnerability vulnerability in apache-airflow (PyPI)
What is CVE-2023-42780 About?
This security vulnerability in Apache Airflow allows authenticated users to list warnings for all Directed Acyclic Graphs (DAGs), bypassing standard permissions. This exposure includes DAG IDs and stack traces of import errors, potentially revealing sensitive information about the application's structure and failures. Exploitation requires prior authentication but is straightforward once authenticated, making it a medium-difficulty issue.
Affected Software
Technical Details
The vulnerability in Apache Airflow versions prior to 2.7.2 allows authenticated users to bypass normal access controls and list warnings for all DAGs within the system. This is achieved by exploiting a flaw in the permission enforcement mechanism related to warning retrieval. When a user requests to view DAG warnings, the system fails to adequately verify if the user has appropriate permissions for every DAG, instead granting access to warning information across all DAGs. This leakage includes the dag_ids and full stack traces for DAGs that failed to import, providing an attacker with valuable internal system details.
What is the Impact of CVE-2023-42780?
Successful exploitation may allow attackers to gain unauthorized access to sensitive information about all DAGs, including their identifiers and detailed error messages that could aid in further reconnaissance or targeted attacks.
What is the Exploitability of CVE-2023-42780?
Exploitation of this vulnerability is of moderate complexity, as it requires the attacker to be an authenticated user of Apache Airflow. There are no specific privilege requirements beyond basic authenticated access. The attack is remote, as it targets the Airflow web interface. There are no special conditions or constraints mentioned, implying that any authenticated user can trigger the information disclosure. The presence of such a vulnerability increases the risk of internal reconnaissance and can lead to further targeted attacks, especially if the disclosed stack traces reveal sensitive internal paths or configurations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-42780?
Available Upgrade Options
- apache-airflow
- <2.7.2 → Upgrade to 2.7.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d
- https://github.com/apache/airflow/pull/34355
- https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d
- https://github.com/apache/airflow/commit/cf4eb3fb9b5cf4a8369b890e39523d4c05eed161
- https://github.com/apache/airflow
- https://nvd.nist.gov/vuln/detail/CVE-2023-42780
- https://osv.dev/vulnerability/GHSA-cgx2-rrmr-jx43
- https://github.com/apache/airflow/pull/34355
- https://github.com/apache/airflow/pull/34355
- https://osv.dev/vulnerability/PYSEC-2023-202
What are Similar Vulnerabilities to CVE-2023-42780?
Similar Vulnerabilities: CVE-2022-38605 , CVE-2023-31131 , CVE-2022-37463 , CVE-2022-37839 , CVE-2023-50269
