First published: Thu Dec 21 2023(Updated: )
Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent. Users are advised to upgrade to version 2.8.0 or later which is not affected
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
pip/apache-airflow | >=2.7.0<2.8.0 | 2.8.0 |
Apache Airflow | >=2.7.0<=2.7.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.