CVE-2023-42663
MEDIUMApache Airflow < 2.7.2 - Authenticated Exposure of Sensitive Task Instance Information
Title source: llmDescription
Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.
References (3)
Core 3
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/11/12/2
Patch patch
https://github.com/apache/airflow/pull/34315
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9
Scores
CVSS v3
6.5
EPSS
0.0040
EPSS Percentile
60.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (2)
apache/airflow
< 2.7.2
pypi/apache-airflow
0 - 2.7.2PyPI
Published
Oct 14, 2023
Tracked Since
Feb 18, 2026