6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-49920

GHSA ID

GHSA-6m9r-7wrx-xmr6

EPSS Score

0.3905%

CWE

CWE-352

Published

12/21/2023

Updated

11/21/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-49920

CVE-2023-49920:
Apache Airflow Cross-Site Request Forgery vulnerability

Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent. Users are advised to upgrade to version 2.8.0 or later which is not affected

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-49920

GHSA ID

GHSA-6m9r-7wrx-xmr6

EPSS Score

0.3905%

CWE

CWE-352

Published

12/21/2023

Updated

11/21/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
apache-airflow	pip	>= 2.7.0, < 2.8.0	2.8.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from the trigger endpoint accepting GET requests for DAG execution. The GitHub patch shows the critical change in views.py where the condition was modified from checking only GET method to a more restrictive check, forcing POST-based execution. The HTML template changes (adding onclick handlers using POST) and test adjustments (adding POST data) further confirm that GET-based triggering was the vulnerable pattern. The core vulnerability resided in the trigger view's handling of GET requests without CSRF protections.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** *ir*low, v*rsion *.*.* t*rou** *.*.*, **s * vuln*r**ility t**t *llows *n *tt**k*r to tri***r * *** in * **T r*qu*st wit*out *SR* v*li**tion. *s * r*sult, it w*s possi*l* *or * m*li*ious w**sit* op*n** in t** s*m* *rows*r - *y t** us*r w*o *lso

Reasoning

T** vuln*r**ility st*mm** *rom t** tri***r *n*point ****ptin* **T r*qu*sts *or *** *x**ution. T** *it*u* p*t** s*ows t** *riti**l ***n** in `vi*ws.py` w**r* t** *on*ition w*s mo*i*i** *rom ****kin* only **T m*t*o* to * mor* r*stri*tiv* ****k, *or*in*

6.5

Basic Information

Concerned about an active attack path?

CVE-2023-49920: Apache Airflow Cross-Site Request Forgery vulnerability

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-49920:
Apache Airflow Cross-Site Request Forgery vulnerability

Vulnerability Intelligence
Miggo AI