CVE-2023-42780

EPSS 0.15%
Veröffentlicht 14.10.2023 10:15:10
Zuletzt bearbeitet 21.11.2024 08:23:08
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors.
Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Airflow Version < 2.7.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.359

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/apache/airflow/pull/34355

Patch

https://lists.apache.org/thread/h5tvsvov8j55wojt5sojdprs05oby34d

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2023-42780

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-42780

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-42780

EUVD