Apache Airflow: Improper access control to DAG resources

Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't. Users of Apache Airflow are strongly advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.

N/A

将资源暴露给错误范围

Apache Airflow 安全漏洞

Apache Airflow是美国阿帕奇（Apache）基金会的一套用于创建、管理和监控工作流程的开源平台。该平台具有可扩展和动态监控等特点。 Apache Airflow 2.7.2 版本存在安全漏洞，该漏洞源于允许对某些 DAG 具有有限访问权限的经过身份验证的用户构造一个请求，该请求可以授予用户对用户无权访问的 DAG 的各种 DAG 资源的写访问权限。因此，使用户能够清除他们不应该清除的 DAG。

N/A

N/A