In this post, we will discuss a security vulnerability (CVE-2023-42792) that affects Apache Airflow in versions prior to 2.7.2. Apache Airflow is a popular open-source platform used to programmatically author, schedule, and monitor workflows. The vulnerability exists due to inappropriate access controls and allows an authenticated but unauthorized user to gain write access and manipulate DAG resources that they should not have access to. We will provide a brief description of the issue, share code snippets to demonstrate the vulnerability, and provide guidance on how to fix this issue.
Vulnerability Details
The vulnerability resides in the part of Apache Airflow that handles access to DAG resources for authenticated users with limited access. Due to insufficient security controls, an attacker could craft a request that enables them to gain write access to resources that they should not have access to, which can lead to unauthorized clearing of DAGs.
CVE-2023-42792 affects Apache Airflow in versions prior to 2.7.2.
Original References
* Apache Airflow Security Advisory
* CVE-2023-42792 - NVD Details
The following code snippet is an example of a vulnerable request
import requests
from requests.auth import HTTPBasicAuth
url = "http://example.com/airflow/task-clear?dag_id=UNAUTHORIZED_DAG_ID&task_id=UNAUTHORIZED_TASK_ID";
auth = HTTPBasicAuth("username_example", "password_example")
response = requests.get(url, auth=auth)
By modifying the dag_id and task_id parameters in the URL, an attacker could gain write access to DAG resources of other DAGs that they should not have access to. This would enable them to clear tasks and manipulate DAGs that they do not have permissions for.
Mitigation
To protect your Apache Airflow installation against this vulnerability, you should upgrade to version 2.7.2 or newer. The issue has been fixed in these versions.
You can update your Airflow installation by running the following command
pip install --upgrade 'apache-airflow[all]==2.7.2'
After upgrading your installation, you should test your workflows to ensure they function properly with the new version. It is also a good idea to monitor your systems for any suspicious activity related to this vulnerability.
Conclusion
CVE-2023-42792 is a critical security vulnerability affecting Apache Airflow versions prior to 2.7.2. This vulnerability allows authenticated users with limited access to unauthorized DAG resources, potentially enabling them to clear and manipulate DAGs that they should not have access to.
To mitigate this risk, you should upgrade to Apache Airflow version 2.7.2 or newer as soon as possible. By keeping your software up-to-date, you can help ensure the security and integrity of your workflows and systems.
Timeline
Published on: 10/14/2023 10:15:10 UTC
Last modified on: 10/18/2023 18:50:16 UTC