We use cookies to improve your experience on our site.
AVID-2026-R1279
Description
Apache Airflow: Improper access control to DAG resources (CVE-2023-42792)
Details
Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn’t.
Users of Apache Airflow are strongly advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.
Reason for inclusion in AVID: CVE-2023-42792 describes an authorization flaw in Apache Airflow where an authenticated user with limited access to some DAGs can craft requests to gain write access to DAG resources, enabling actions such as clearing DAGs. This is a software vulnerability in a workflow orchestration component commonly used in AI/ML pipelines, impacting the integrity and security of AI workloads. As Airflow is a widely used tool in building, deploying, and running AI systems, this is relevant to the general-purpose AI supply chain. The description and references provide sufficient signal and mitigation guidance (upgrade to 2.7.2+).
References
- NVD entry
- https://github.com/apache/airflow/pull/34366
- https://lists.apache.org/thread/1spbo9nkn49fc2hnxqm9tf6mgqwp9tjq
- http://www.openwall.com/lists/oss-security/2023/12/21/1
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Airflow |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-668 | CWE-668 Exposure of Resource to Wrong Sphere |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-10-14
- Version: 0.3.3
- AVID Entry