Description
dag-factory is a library for Apache Airflow® to construct DAGs declaratively via configuration files. In versions 0.23.0a8 and below, a high-severity vulnerability has been identified in the cicd.yml workflow within the astronomer/dag-factory GitHub repository. The workflow, specifically when triggered by pull_request_target, is susceptible to exploitation, allowing an attacker to execute arbitrary code within the GitHub Actions runner environment. This misconfiguration enables an attacker to establish a reverse shell, exfiltrate sensitive secrets, including the highly-privileged GITHUB_TOKEN, and ultimately gain full control over the repository. This is fixed in version 0.23.0a9.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Confidentiality (Vulnerable System)
High
Integrity (Vulnerable System)
High
Availability (Vulnerable System)
High
Confidentiality (Subsequent System)
High
Integrity (Subsequent System)
High
Availability (Subsequent System)
High
E
Unchanged
Affected products
- astronomer / dag-factory< 0.23.0a9 – < 0.23.0a9
References
- VENDOR_ADVISORYhttps://github.com/astronomer/dag-factory/security/advisories/GHSA-g5hx-xv45-9whg
- PATCHhttps://github.com/astronomer/dag-factory/pull/460
- PATCHhttps://github.com/astronomer/dag-factory/pull/466
- PATCHhttps://github.com/astronomer/dag-factory/commit/751c0e58369e784f6a924347e381a705ea8133fe