CVE-2023-47037

low-risk

Published 2023-11-12

We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.3 or later which has removed the vulnerability.

Do I need to act?

0.08% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Airflow

Affected Vendors

Apache

References (6)

Mailing List http://www.openwall.com/lists/oss-security/2023/11/12/1

Issue Tracking https://github.com/apache/airflow/pull/33413

Mailing List https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0

Mailing List http://www.openwall.com/lists/oss-security/2023/11/12/1

Issue Tracking https://github.com/apache/airflow/pull/33413

Mailing List https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal