![]() Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.Īpache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.Īpache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors. Users should upgrade to version 2.7.3 or later which has removed the vulnerability.Īpache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. This could have them alter details such as configuration parameters, start date, etc. ![]() We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then.Īpache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. Users of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this vulnerability. This is a different issue than CVE-2023-42663 but leading to similar outcome. Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |