Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-37379: Disable default allowing the testing of connections in UI, API and CLI by pankajkoti · Pull Request #32052 · apache/airflow

Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server.

Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.

CVE
#vulnerability#web#dos#apache#aws#auth

Conversation

pankajkoti changed the title Disable allowing by default testing of connnections in UI Disable allowing by default the testing of connections in UI, API and CLI

Jun 24, 2023

pankajkoti changed the title Disable allowing by default the testing of connections in UI, API and CLI Disable default allowing the testing of connections in UI, API and CLI

Jun 24, 2023

Users can enable test connection functionaility in UI with caution by setting the `enable_test_connection` key to `True` in the `[webserver]` section of airflow.cfg or by setting the environment variable `AIRFLOW__WEBSERVER__ENABLE_TEST_CONNECTION` to `True`.

pankajkoti added a commit to astronomer/airflow that referenced this pull request

Aug 12, 2023

Following up PR apache#32052 the test connection is disabled in UI, API and CLI. The API and CLI strictly check for the config value to be set as `Enabled` for the functionality to be enabled, whereas the UI just checks that is it not set to `Disabled`. As a result setting values to the config param other than `Disabled`, enables the button in the UI. Even though the button gets enabled, the API forbids it as there is a strict check in the API that the value is set to `Enabled` and only then allows, however, it makes sense to also strictly check in the UI that value is set to `Enabled`.

hussein-awala pushed a commit that referenced this pull request

Aug 12, 2023

Following up PR #32052 the test connection is disabled in UI, API and CLI. The API and CLI strictly check for the config value to be set as `Enabled` for the functionality to be enabled, whereas the UI just checks that is it not set to `Disabled`. As a result setting values to the config param other than `Disabled`, enables the button in the UI. Even though the button gets enabled, the API forbids it as there is a strict check in the API that the value is set to `Enabled` and only then allows, however, it makes sense to also strictly check in the UI that value is set to `Enabled`.

ephraimbuddy pushed a commit that referenced this pull request

Aug 14, 2023

Following up PR #32052 the test connection is disabled in UI, API and CLI. The API and CLI strictly check for the config value to be set as `Enabled` for the functionality to be enabled, whereas the UI just checks that is it not set to `Disabled`. As a result setting values to the config param other than `Disabled`, enables the button in the UI. Even though the button gets enabled, the API forbids it as there is a strict check in the API that the value is set to `Enabled` and only then allows, however, it makes sense to also strictly check in the UI that value is set to `Enabled`.

(cherry picked from commit 50765eb)

ferruzzi pushed a commit to aws-mwaa/upstream-to-airflow that referenced this pull request

Aug 17, 2023

…3342)

Following up PR apache#32052 the test connection is disabled in UI, API and CLI. The API and CLI strictly check for the config value to be set as `Enabled` for the functionality to be enabled, whereas the UI just checks that is it not set to `Disabled`. As a result setting values to the config param other than `Disabled`, enables the button in the UI. Even though the button gets enabled, the API forbids it as there is a strict check in the API that the value is set to `Enabled` and only then allows, however, it makes sense to also strictly check in the UI that value is set to `Enabled`.

Related news

GHSA-x2mh-8fmc-rqgh: Apache Airflow denial of service vulnerability

Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server. Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907