In this post, we will discuss a security vulnerability (CVE-2023-42792) that affects Apache Airflow in versions prior to 2.7.2. Apache Airflow is a popular open-source platform used to programmatically author, schedule, and monitor workflows. The vulnerability exists due to inappropriate access controls and allows an authenticated but unauthorized user to gain write access and manipulate DAG resources that they should not have access to. We will provide a brief description of the issue, share code snippets to demonstrate the vulnerability, and provide guidance on how to fix this issue.

Vulnerability Details

The vulnerability resides in the part of Apache Airflow that handles access to DAG resources for authenticated users with limited access. Due to insufficient security controls, an attacker could craft a request that enables them to gain write access to resources that they should not have access to, which can lead to unauthorized clearing of DAGs.

CVE-2023-42792 affects Apache Airflow in versions prior to 2.7.2.

Original References

* Apache Airflow Security Advisory
* CVE-2023-42792 - NVD Details

The following code snippet is an example of a vulnerable request

import requests
from requests.auth import HTTPBasicAuth

url = "http://example.com/airflow/task-clear?dag_id=UNAUTHORIZED_DAG_ID&task_id=UNAUTHORIZED_TASK_ID";
auth = HTTPBasicAuth("username_example", "password_example")
response = requests.get(url, auth=auth)

By modifying the dag_id and task_id parameters in the URL, an attacker could gain write access to DAG resources of other DAGs that they should not have access to. This would enable them to clear tasks and manipulate DAGs that they do not have permissions for.

Mitigation

To protect your Apache Airflow installation against this vulnerability, you should upgrade to version 2.7.2 or newer. The issue has been fixed in these versions.

You can update your Airflow installation by running the following command

pip install --upgrade 'apache-airflow[all]==2.7.2'

After upgrading your installation, you should test your workflows to ensure they function properly with the new version. It is also a good idea to monitor your systems for any suspicious activity related to this vulnerability.

Conclusion

CVE-2023-42792 is a critical security vulnerability affecting Apache Airflow versions prior to 2.7.2. This vulnerability allows authenticated users with limited access to unauthorized DAG resources, potentially enabling them to clear and manipulate DAGs that they should not have access to.

To mitigate this risk, you should upgrade to Apache Airflow version 2.7.2 or newer as soon as possible. By keeping your software up-to-date, you can help ensure the security and integrity of your workflows and systems.

Timeline

Published on: 10/14/2023 10:15:10 UTC
Last modified on: 10/18/2023 18:50:16 UTC