Apache Airflow Breached: 4 Vulnerabilities Threaten Your Workflows

Apache Airflow, the backbone of countless workflow pipelines, has encountered unwelcome turbulence. Four security vulnerabilities, collectively known as CVE-2023-47265, CVE-2023-49920, CVE-2023-50783, and CVE-2023-48291, have landed in the Airflow ecosystem, putting your workflows and data at risk.

CVE-2023-47265: DAG Params allow to embed unchecked Javascript

Imagine a scenario where a seemingly innocuous feature turns into a potential threat. That’s precisely what happened with Apache Airflow versions 2.6.0 to 2.7.3. A stored XSS vulnerability was discovered, allowing DAG authors to embed unchecked JavaScript into the parameter description field. This crafty exploit could execute JavaScript on any user’s client-side, manipulating what they see when viewing DAG details. While it doesn’t allow server-side manipulation or exiting the browser sandbox, it opens doors to deception and misinformation.

CVE-2023-49920: Missing CSRF protection on DAG/trigger

Next, we encountered a flaw in Apache Airflow’s CSRF protection. Versions 2.7.0 through 2.7.3 were found to be vulnerable to an attack where a malicious website could trigger the execution of DAGs without the user’s consent. This flaw lay in the absence of CSRF validation in a GET request, leaving the door open for unauthorized DAG triggering.

CVE-2023-50783: Improper access control vulnerability on the “varimport” endpoint

Version 2.8.0 of Apache Airflow also resolved another critical issue in earlier versions. There was an improper access control vulnerability concerning the “varimport” endpoint. Users without the necessary permissions could update variables, posing a significant threat to data integrity and security. This vulnerability could have led to unauthorized data modifications, undermining the trust in data management within Airflow.

CVE-2023-48291: Improper access control to DAG resources

The final vulnerability we address is CVE-2023-48291, a lingering ghost from a previous vulnerability (CVE-2023-42792) in Apache Airflow 2.7.2. This flaw allowed users with restricted access to craft requests granting them unauthorized write access to various DAG resources. It was a significant oversight, potentially enabling unauthorized clearing of DAGs.

The Call to Action:

These vulnerabilities highlight the need for vigilance and swift action. Here’s what you can do:

  • Upgrade immediately: Airflow version 2.8.0 is the shield you need. It patches all four vulnerabilities, putting your workflows back on secure ground.
  • Review permissions: Double-check user access controls, ensuring only authorized individuals have edit privileges for variables and workflows.
  • Stay informed: Keep an eye on Airflow’s security bulletins and updates, staying ahead of future vulnerabilities.