CVE-2023-40611 Information

Description

Apache Airflow versions before 2.7.1 is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters start date etc.

Users should upgrade to version 2.7.1 or later which has removed the vulnerability.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Reference

https://lists.apache.org/thread/8y9xk1s3j4qr36yzqn8ogbn9fl7pxrn0 https://github.com/apache/airflow/pull/33413

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

4.3