CVE-2023-50944

MEDIUM

Apache Airflow < 2.8.1 - Authenticated Unauthorized DAG Source Code Access

Title source: llm

Description

Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.

References (3)

Core 3

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2024/01/24/5

Third Party Advisory patch

https://github.com/apache/airflow/pull/36257

Mailing List, Vendor Advisory vendor-advisory

https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h

Scores

CVSS v3 6.5

EPSS 0.0015

EPSS Percentile 34.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (2)

apache/airflow < 2.8.1

pypi/apache-airflow 0 - 2.8.1rc1PyPI

Published Jan 24, 2024

Tracked Since Feb 18, 2026