CVE-2023-50944

Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/01/24/5	Mailing List
https://github.com/apache/airflow/pull/36257	Third Party Advisory
https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/01/24/5	Mailing List
https://github.com/apache/airflow/pull/36257	Third Party Advisory
https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

History

13 Feb 2025, 18:15

Type	Values Removed	Values Added
Summary	(en) Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.	(en) Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.

Information

Published : 2024-01-24 13:15

Updated : 2025-02-13 18:15

NVD link : CVE-2023-50944

Mitre link : CVE-2023-50944

CVE.ORG link : CVE-2023-50944

JSON object : View

Products Affected

apache

airflow

CWE

CWE-862

Missing Authorization

{"id": "CVE-2023-50944", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-01-24T13:15:08.070", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/01/24/5", "tags": ["Mailing List"], "source": "security@apache.org"}, {"url": "https://github.com/apache/airflow/pull/36257", "tags": ["Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2024/01/24/5", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/apache/airflow/pull/36257", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access.\u00a0This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue."}, {"lang": "es", "value": "Apache Airflow, versiones anteriores a la 2.8.1, tienen una vulnerabilidad que permite a un usuario autenticado acceder al c\u00f3digo fuente de un DAG al que no tiene acceso. Esta vulnerabilidad se considera baja ya que requiere un usuario autenticado para explotarla. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.8.1, que soluciona este problema."}], "lastModified": "2025-02-13T18:15:52.743", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "601FB744-D9A1-4FE0-A5AD-552A9605C501", "versionEndExcluding": "2.8.1"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}