CVE-2023-50783
Improper Authorization vulnerability in apache-airflow (PyPI)
What is CVE-2023-50783 About?
Apache Airflow versions before 2.8.0 are vulnerable to an improper authorization flaw, allowing authenticated users without specific permissions to update variables. This compromises variable management integrity and can lead to unauthorized data modification. Exploitation is straightforward for an authenticated user.
Affected Software
Technical Details
In Apache Airflow versions preceding 2.8.0, an authorization bypass vulnerability exists within the variable management functionality. An authenticated user, even one explicitly lacking the 'variable edit' permission, could still interact with the Airflow API or UI in a way that allowed them to modify existing variables or create new ones. This indicates a failure in the permission enforcement logic, where checks for 'variable edit' permission were either absent or incorrectly applied when handling requests to update variables. This flaw undermines the integrity of configuration and operational data stored in Airflow variables, as unauthorized users could arbitrarily change critical settings, connection details, or other sensitive parameters.
What is the Impact of CVE-2023-50783?
Successful exploitation may allow attackers to perform unauthorized modification of variables, leading to disruption of services, unauthorized configuration changes, or potential data manipulation within the Airflow environment.
What is the Exploitability of CVE-2023-50783?
Exploitation is of low to medium complexity. It requires an authenticated user account within Apache Airflow. Authentication to the Airflow instance, typically via the web UI or API, is a prerequisite. The critical aspect is that no specific 'variable edit' privileges are required, as the vulnerability bypasses this check. Access is typically remote, as Airflow is a web application accessible over a network. There are no other special conditions beyond being an authenticated user and interacting with the variable management interface. The likelihood of exploitation increases if attackers can gain access to any authenticated Airflow account, regardless of its intended privilege level, as they can then escalate their control over variables.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-50783?
Available Upgrade Options
- apache-airflow
- <2.8.0 → Upgrade to 2.8.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/airflow
- https://lists.apache.org/thread/rs7cr3yp726mb89s1m844hy9pq7frgcn
- http://www.openwall.com/lists/oss-security/2023/12/21/4
- https://github.com/apache/airflow/pull/33932
- https://github.com/apache/airflow/commit/0e1c106d7cd0703125528a691088e42e17c99929
- https://nvd.nist.gov/vuln/detail/CVE-2023-50783
- https://osv.dev/vulnerability/PYSEC-2023-267
- http://www.openwall.com/lists/oss-security/2023/12/21/4
- https://github.com/apache/airflow/pull/33932
- https://github.com/apache/airflow/pull/33932
What are Similar Vulnerabilities to CVE-2023-50783?
Similar Vulnerabilities: CVE-2023-42781 , CVE-2023-42663 , CVE-2023-50943 , CVE-2022-41689 , CVE-2022-40127
