CVE-2023-37379: Apache Airflow: Exposure of sensitive connection information, DOS and SSRF on "test connection" feature
First published: Wed Aug 23 2023(Updated: )
Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server. Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/apache-airflow | <2.7.0 | 2.7.0 |
| Apache Airflow | <2.7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2023-37379
- https://github.com/apache/airflow/pull/32052
- https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r
- http://www.openwall.com/lists/oss-security/2023/08/23/4
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-152.yaml
- https://github.com/advisories/GHSA-x2mh-8fmc-rqgh (Advisory)
Frequently Asked Questions
What is CVE-2023-37379?
CVE-2023-37379 is a security vulnerability in Apache Airflow that allows an authenticated user to access sensitive connection information and exploit the test connection feature.
What is the severity of CVE-2023-37379?
CVE-2023-37379 has a severity rating of 8.1, which is categorized as high.
How can CVE-2023-37379 be exploited?
An authenticated user with Connection edit privileges can exploit CVE-2023-37379 by accessing connection information and sending multiple requests to exploit the test connection feature.
How do I fix CVE-2023-37379?
To fix CVE-2023-37379, you should upgrade to Apache Airflow version 2.7.0 or later.
Where can I find more information about CVE-2023-37379?
You can find more information about CVE-2023-37379 on the official Apache Airflow GitHub repository and the OSS Security mailing list.
- collector/nvd-api
- collector/nvd-cve
- collector/nvd-index
- collector/oss-sec
- alias/CVE-2023-37379
- collector/github-advisory-latest
- alias/GHSA-x2mh-8fmc-rqgh
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- vendor/apache
- canonical/apache airflow
- package-manager/pip