===================================================================== CERT-Renater Note d'Information No. 2023/VULN408 _____________________________________________________________________ DATE : 18/10/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Airflow versions 2.7 prior to 2.7.2. ===================================================================== https://lists.apache.org/thread/sy4l5d6tn58hr8r61r2fkt1f0qock9z9 https://lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9 https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d _____________________________________________________________________ CVE-2023-45348: Apache Airflow: Configuration information leakage vulnerability Severity: important Affected versions: - Apache Airflow 2.7.0 before 2.7.2 Description: Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when the "expose_config" option is set to "non-sensitive-only". The `expose_config` option is False by default. It is recommended to upgrade to a version that is not affected. Credit: L3yx of Syclover Security Team (finder) Hussein Awala (remediation developer) References: https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-45348 _____________________________________________________________________ CVE-2023-42792: Apache Airflow: Improper access control to DAG resources Severity: moderate Affected versions: - Apache Airflow before 2.7.2 Description: Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't. Users of Apache Airflow are strongly advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability. Credit: balis0ng (finder) Jarek Potiuk (remediation developer) References: https://github.com/apache/airflow/pull/34366 https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-42792 _____________________________________________________________________ CVE-2023-42663: Apache Airflow: Bypass permission verification to view task instances of other dags Severity: low Affected versions: - Apache Airflow before 2.7.2 Description: Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability. Credit: balis0ng (finder) Ephraim Anierobi (remediation developer) References: https://github.com/apache/airflow/pull/34315 https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-42663 _____________________________________________________________________ CVE-2023-42780: Apache Airflow: Improper access control vulnerability in the "List dag warnings" feature Severity: low Affected versions: - Apache Airflow before 2.7.2 Description: Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability. Credit: balis0ng (finder) Hussein Awala (remediation developer) References: https://github.com/apache/airflow/pull/34355 https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-42780 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================