Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2023-47037

CVE-2023-47037:
Apache Airflow allows authenticated and DAG-view authorized users to modify some DAG run detail values when submitting notes

4.3

CVSS Score

Basic Information

CVE ID
CVE-2023-47037
GHSA ID
GHSA-hm9r-7f84-25c9
EPSS Score
-
CWE
CWE-285
Published
11/12/2023
Updated
2/13/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
apache-airflowpip< 2.7.32.7.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper authorization in form handling. The key evidence is in the patch which:

  1. Added ReadOnly validators to sensitive fields
  2. Modified populate_obj methods to only process non-read-only fields
  3. Explicitly states in commit message: 'override the form's populate_obj method so field.populate_obj is not called for read-only fields'

The original populate_obj implementations allowed processing of all form fields regardless of read-only status, enabling unauthorized modifications via form submissions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** *ir*low, v*rsions ***or* *.*.*, is *****t** *y * vuln*r**ility t**t *llows *ut**nti**t** *n* ***-vi*w *ut*oriz** Us*rs to mo*i*y som* *** run **t*il v*lu*s w**n su*mittin* not*s. T*is *oul* **v* t**m *lt*r **t*ils su** *s *on*i*ur*tion p*r*m*t

Reasoning

T** vuln*r**ility st*mm** *rom improp*r *ut*oriz*tion in *orm **n*lin*. T** k*y *vi**n** is in t** p*t** w*i**: *. ***** R***Only v*li**tors to s*nsitiv* *i*l*s *. Mo*i*i** popul*t*_o*j m*t*o*s to only pro**ss non-r***-only *i*l*s *. *xpli*itly st*t*