Headline
CVE-2023-37379: Disable default allowing the testing of connections in UI, API and CLI by pankajkoti · Pull Request #32052 · apache/airflow
Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server.
Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.
Conversation
pankajkoti changed the title Disable allowing by default testing of connnections in UI Disable allowing by default the testing of connections in UI, API and CLI
Jun 24, 2023
pankajkoti changed the title Disable allowing by default the testing of connections in UI, API and CLI Disable default allowing the testing of connections in UI, API and CLI
Jun 24, 2023
Users can enable test connection functionaility in UI with caution by setting the `enable_test_connection` key to `True` in the `[webserver]` section of airflow.cfg or by setting the environment variable `AIRFLOW__WEBSERVER__ENABLE_TEST_CONNECTION` to `True`.
pankajkoti added a commit to astronomer/airflow that referenced this pull request
Aug 12, 2023
Following up PR apache#32052 the test connection is disabled in UI, API and CLI. The API and CLI strictly check for the config value to be set as `Enabled` for the functionality to be enabled, whereas the UI just checks that is it not set to `Disabled`. As a result setting values to the config param other than `Disabled`, enables the button in the UI. Even though the button gets enabled, the API forbids it as there is a strict check in the API that the value is set to `Enabled` and only then allows, however, it makes sense to also strictly check in the UI that value is set to `Enabled`.
hussein-awala pushed a commit that referenced this pull request
Aug 12, 2023
Following up PR #32052 the test connection is disabled in UI, API and CLI. The API and CLI strictly check for the config value to be set as `Enabled` for the functionality to be enabled, whereas the UI just checks that is it not set to `Disabled`. As a result setting values to the config param other than `Disabled`, enables the button in the UI. Even though the button gets enabled, the API forbids it as there is a strict check in the API that the value is set to `Enabled` and only then allows, however, it makes sense to also strictly check in the UI that value is set to `Enabled`.
ephraimbuddy pushed a commit that referenced this pull request
Aug 14, 2023
Following up PR #32052 the test connection is disabled in UI, API and CLI. The API and CLI strictly check for the config value to be set as `Enabled` for the functionality to be enabled, whereas the UI just checks that is it not set to `Disabled`. As a result setting values to the config param other than `Disabled`, enables the button in the UI. Even though the button gets enabled, the API forbids it as there is a strict check in the API that the value is set to `Enabled` and only then allows, however, it makes sense to also strictly check in the UI that value is set to `Enabled`.
(cherry picked from commit 50765eb)
ferruzzi pushed a commit to aws-mwaa/upstream-to-airflow that referenced this pull request
Aug 17, 2023
…3342)
Following up PR apache#32052 the test connection is disabled in UI, API and CLI. The API and CLI strictly check for the config value to be set as `Enabled` for the functionality to be enabled, whereas the UI just checks that is it not set to `Disabled`. As a result setting values to the config param other than `Disabled`, enables the button in the UI. Even though the button gets enabled, the API forbids it as there is a strict check in the API that the value is set to `Enabled` and only then allows, however, it makes sense to also strictly check in the UI that value is set to `Enabled`.
Related news
Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server. Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.