CVE-2023-50944

Description

Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected products

Apache Software Foundation / Apache Airflow0 – 2.8.1

References

PATCHhttps://github.com/apache/airflow/pull/36257
MAILING_LISThttps://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h
MAILING_LISThttp://www.openwall.com/lists/oss-security/2024/01/24/5