CVE-2023-50944: Apache Airflow: Bypass permission verification to read code of other dags
(updated )
Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don’t have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.
References
- github.com/advisories/GHSA-vm5m-qmrx-fw8w
- github.com/apache/airflow
- github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1
- github.com/apache/airflow/pull/36257
- github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml
- lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h
- nvd.nist.gov/vuln/detail/CVE-2023-50944
Detect and mitigate CVE-2023-50944 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →