[Critical] Apache Airflow Run Task Permission Bypass Vulnerability

News 2023-08-19 02:04:36 views: null

Vulnerability description

Airflow is an open source workflow automation platform that allows users to define, schedule and monitor the execution of workflow tasks. Run Tasks are run through Airflow's web interface or command-line tool.

In affected versions of Airflow, the Run Task feature allows users to manually trigger the execution of specific tasks without being restricted by normal task scheduling and dependencies. When a user does not have permission to perform a specific task, the execution of the task can be manually triggered through the Run Task function, thereby bypassing the access control and dependencies that should be implemented. Attackers can use the Run Task function to execute arbitrary code on the target server. Since DAG defines the dependencies and execution order between tasks, attackers can bypass certain DAG restrictions through Run Task.

Vulnerability name Apache Airflow Run Task Permission Bypass Vulnerability
Vulnerability type Improper access control
Discovery time 2023-08-05
Vulnerability Breadth generally
MPS number MPS-2vhe-kp7q
CVE number CVE-2023-39508
CNVD number -

Sphere of influence

apache-airflow@(-∞, 2.6.0)

Repair plan

Upgrade the component apache-airflow to 2.6.0 or higher

reference link

https://www.oscs1024.com/hd/MPS-2vhe-kp7q

https://nvd.nist.gov/vuln/detail/CVE-2023-39508

PR

Commit

    

Free intelligence subscription & code security detection

OSCS is the first open source software supply chain security community in China. The community cooperates with developers to help the world's top open source projects solve security problems, and provides real-time security vulnerability intelligence. It also provides professional code security detection tools for developers to use for free. Community developers can obtain first-hand intelligence by configuring Feishu, DingTalk, and WeChat bots.

Free Code Security Detection Tool:  https://www.murphysec.com/?src=osc

Free information subscription:  https://www.oscs1024.com/cm/?src=osc

For details on how to subscribe, see:  https://www.oscs1024.com/docs/vuln-warning/intro/?src=osc

Guess you like

Origin blog.csdn.net/murphysec/article/details/132142031
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com