We use cookies to improve your experience on our site.
AVID-2026-R1256
Description
Apache Airflow: Exposure of sensitive connection information, DOS and SSRF on “test connection” feature (CVE-2023-37379)
Details
Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server.
Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.
Reason for inclusion in AVID: CVE-2023-37379 describes a software vulnerability in Apache Airflow (an orchestration component commonly used in ML pipelines) that enables authenticated users to access sensitive connection information, trigger DoS via the test-connection feature, and potentially SSRF. Airflow is frequently part of AI system supply chains (build/train/deploy/serve pipelines), so this qualifies as a software supply-chain vulnerability affecting AI tooling. It is a security vulnerability with verifiable CVE details and recommended mitigations.
References
- NVD entry
- https://github.com/apache/airflow/pull/32052
- https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r
- http://www.openwall.com/lists/oss-security/2023/08/23/4
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Airflow |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-400 | CWE-400 Uncontrolled Resource Consumption |
| CWE-918 | CWE-918 Server-Side Request Forgery (SSRF) |
| CWE-200 | CWE-200 Exposure of Sensitive Information to an Unauthorized Actor |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-08-23
- Version: 0.3.3
- AVID Entry