CVE-2023-47037
MEDIUMApache Airflow < 2.7.3 - Authenticated DAG Run Detail Modification via Notes Submission
Title source: llmDescription
We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.3 or later which has removed the vulnerability.
References (3)
Core 3
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/11/12/1
Issue Tracking, Patch patch
https://github.com/apache/airflow/pull/33413
Mailing List vendor-advisory
https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0
Scores
CVSS v3
4.3
EPSS
0.0008
EPSS Percentile
24.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (2)
apache/airflow
< 2.7.3
pypi/apache-airflow
0 - 2.7.3PyPI
Published
Nov 12, 2023
Tracked Since
Feb 18, 2026