First published: Tue Jul 11 2023(Updated: )
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected
Credit: security@apache.org security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Airflow | <2.6.3 | |
pip/apache-airflow | <2.6.3 | 2.6.3 |
<2.6.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-22888 is a vulnerability in Apache Airflow that allows an attacker to cause a service disruption by manipulating the run_id parameter.
CVE-2023-22888 has a severity rating of medium with a score of 6.5.
To exploit CVE-2023-22888, an attacker needs to be an authenticated user and manipulate the run_id parameter.
To fix CVE-2023-22888, it is recommended to upgrade Apache Airflow to version 2.6.3 or higher.
More information about CVE-2023-22888 can be found at the following references: [GitHub](https://github.com/apache/airflow/pull/32293), [Apache Mailing List](https://lists.apache.org/thread/dnlht2hvm7k81k5tgjtsfmk27c76kq7z), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-22888).