QwikSec

Security Database

CVE

CWE

Training

CVE-2023-49920

Published: Dec 21, 2023

Modified: Feb 13, 2025

PUBLISHED

Description

Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent. Users are advised to upgrade to version 2.8.0 or later which is not affected

Vendor	Product	Versions
Apache Software Foundation	Apache Airflow	affected `2.7.0 - < 2.8.0`

Weaknesses (CWE)

References

https://github.com/apache/airflow/pull/36026

patch

https://lists.apache.org/thread/mnwd2vcfw3gms6ft6kl951vfbqrxsnjq

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/12/21/3

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.