{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-49920","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2023-12-02T15:33:40.610Z","datePublished":"2023-12-21T09:27:09.651Z","dateUpdated":"2025-02-13T17:18:58.218Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://pypi.python.org","defaultStatus":"unaffected","packageName":"apache-airflow","product":"Apache Airflow","vendor":"Apache Software Foundation","versions":[{"lessThan":"2.8.0","status":"affected","version":"2.7.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Tareq Ahamed ( 0xt4req)"},{"lang":"en","type":"remediation developer","value":"Jens Scheffler"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation.&nbsp;As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent.<br>Users are advised to upgrade to version 2.8.0 or later which is not affected"}],"value":"Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent.\nUsers are advised to upgrade to version 2.8.0 or later which is not affected"}],"metrics":[{"other":{"content":{"text":"moderate"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-352","description":"CWE-352 Cross-Site Request Forgery (CSRF)","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2023-12-21T09:30:08.793Z"},"references":[{"tags":["patch"],"url":"https://github.com/apache/airflow/pull/36026"},{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/mnwd2vcfw3gms6ft6kl951vfbqrxsnjq"},{"url":"http://www.openwall.com/lists/oss-security/2023/12/21/3"}],"source":{"discovery":"UNKNOWN"},"title":"Apache Airflow: Missing CSRF protection on DAG/trigger","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T22:09:49.196Z"},"title":"CVE Program Container","references":[{"tags":["patch","x_transferred"],"url":"https://github.com/apache/airflow/pull/36026"},{"tags":["vendor-advisory","x_transferred"],"url":"https://lists.apache.org/thread/mnwd2vcfw3gms6ft6kl951vfbqrxsnjq"},{"url":"http://www.openwall.com/lists/oss-security/2023/12/21/3","tags":["x_transferred"]}]}]}}