GHSA-6m9r-7wrx-xmr6

Suggest an improvement
Source
https://github.com/advisories/GHSA-6m9r-7wrx-xmr6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-6m9r-7wrx-xmr6/GHSA-6m9r-7wrx-xmr6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6m9r-7wrx-xmr6
Aliases
Published
2023-12-21T12:30:28Z
Modified
2024-02-16T08:21:20.590636Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Apache Airflow Cross-Site Request Forgery vulnerability
Details

Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent. Users are advised to upgrade to version 2.8.0 or later which is not affected

References

Affected packages

PyPI / apache-airflow

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.7.0
Fixed
2.8.0

Affected versions

2.*

2.7.0
2.7.1rc1
2.7.1rc2
2.7.1
2.7.2rc1
2.7.2
2.7.3rc1
2.7.3
2.8.0b1
2.8.0rc1
2.8.0rc2
2.8.0rc3
2.8.0rc4