CVE-2023-22888 - OpenCVE

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Airflow

Configuration 1 [-]

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/apache/airflow/pull/32293
https://lists.apache.org/thread/dnlht2hvm7k81k5tgjtsfmk27c76kq7z

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-07-12T09:17:55.338Z

Updated: 2024-08-02T10:20:31.298Z

Reserved: 2023-01-09T19:39:45.667Z

Link: CVE-2023-22888

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-07-12T10:15:09.780

Modified: 2023-07-20T15:42:40.977

Link: CVE-2023-22888

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-22888", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-01-09T19:39:45.667Z", "datePublished": "2023-07-12T09:17:55.338Z", "dateUpdated": "2024-08-02T10:20:31.298Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Airflow", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.6.3", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Zhipeng Zhang (@timon8)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected"}], "value": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected"}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-07-12T09:17:55.338Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/airflow/pull/32293"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/dnlht2hvm7k81k5tgjtsfmk27c76kq7z"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow: Scheduler remote DoS", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:20:31.298Z"}, "title": "CVE Program Container", "references": [{"tags": ["patch", "x_transferred"], "url": "https://github.com/apache/airflow/pull/32293"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/dnlht2hvm7k81k5tgjtsfmk27c76kq7z"}]}]}}