CVE-2023-40611
Apache Airflow Incorrect Authorization vulnerability
4.3
MEDIUM
CVSS 3.1
EPSS 0.13%
Description
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.1 or later which has removed the vulnerability.
How to fix CVE-2023-40611
To remediate CVE-2023-40611, upgrade the affected package to a fixed version below.
- —upgrade to 2.7.3 or later
- —upgrade to 2.7.1 or later
- —upgrade to 2.7.1 or later
Is CVE-2023-40611 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.7.3
- from 0, < 2.7.1
- from 0, < 2.7.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |