CVE-2023-47037
Apache Airflow allows authenticated and DAG-view authorized users to modify some DAG run detail values when submitting notes
4.3
MEDIUM
CVSS 3.1
EPSS 0.08%
Description
We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.3 or later which has removed the vulnerability.
How to fix CVE-2023-47037
To remediate CVE-2023-47037, upgrade the affected package to a fixed version below.
- —upgrade to 2.7.3 or later
- —upgrade to 2.7.3 or later
- —upgrade to 2.7.3 or later
Is CVE-2023-47037 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.7.3
- from 0, < 2.7.3
- from 0, < 2.7.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |