CVE-2023-37379 – This vulnerability in Apache Airflow allows aut... (How to Fix)

Q: What is the severity of CVE-2023-37379?

CVE-2023-37379 has a CVSS score of 8.1 (HIGH). This vulnerability in Apache Airflow allows authenticated users with Connection edit privileges to access connection information and abuse the test connection feature, causing denial of service through excessive requests. It can also enable malicious connections to be established. Affects Apache Airflow installations prior to version 2.7.0.

📋 TL;DR

This vulnerability in Apache Airflow allows authenticated users with Connection edit privileges to access connection information and abuse the test connection feature, causing denial of service through excessive requests. It can also enable malicious connections to be established. Affects Apache Airflow installations prior to version 2.7.0.

💻 Affected Systems

Products:

Apache Airflow

Versions: All versions prior to 2.7.0

Operating Systems: All platforms running Apache Airflow

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with Connection edit privileges. Default installations with admin users are vulnerable.

📦 What is this software?

Airflow by Apache

View all CVEs affecting Airflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server unavailability due to DoS, plus potential data exfiltration or unauthorized access through malicious connections.

🟠

Likely Case

Service degradation or temporary unavailability from DoS attacks, with possible exposure of sensitive connection credentials.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, though risk remains if unpatched.

🌐 Internet-Facing: HIGH - Internet-facing Airflow instances are directly exposed to authenticated attackers.

🏢 Internal Only: MEDIUM - Internal attackers with valid credentials and connection edit privileges can still exploit.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid authentication and specific privileges, but the attack vector is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.0

Vendor Advisory: https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r

Restart Required: Yes

Instructions:

1. Backup your Airflow configuration and database. 2. Upgrade Apache Airflow to version 2.7.0 or newer using pip: 'pip install --upgrade apache-airflow==2.7.0'. 3. Restart all Airflow services. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict Connection Edit Privileges

all

Limit which users have permission to edit connections to only essential administrators.

# Modify Airflow RBAC policies to restrict 'can_edit' on Connections model
# Review and update airflow.cfg or webserver_config.py

Implement Rate Limiting

linux

Add rate limiting to the test connection endpoint to prevent DoS attacks.

# Configure web server rate limiting (e.g., nginx, Apache mod_evasive)
# Example nginx: limit_req_zone $binary_remote_addr zone=airflow:10m rate=10r/s;

🧯 If You Can't Patch

Immediately review and restrict user permissions to eliminate Connection edit privileges for non-essential users.
Implement network-level controls to monitor and limit requests to the test connection endpoint.

🔍 How to Verify

Check if Vulnerable:

Check Airflow version: if below 2.7.0 and users have Connection edit privileges, system is vulnerable.

Check Version:

airflow version

Verify Fix Applied:

Confirm Airflow version is 2.7.0 or newer and test that unauthorized users cannot edit connections.

📡 Detection & Monitoring

Log Indicators:

High frequency of POST requests to /connection/test endpoint
Multiple failed or successful connection test attempts from single user in short timeframe
Unusual connection creation/modification events

Network Indicators:

Bursts of traffic to Airflow web server on connection-related endpoints
Abnormal request patterns from authenticated sessions

SIEM Query:

source="airflow.logs" AND (url_path="/connection/test" OR message="connection test") | stats count by src_user, url_path | where count > 10

📊 Metadata

CVE ID: CVE-2023-37379

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-200

Published: August 23, 2023

Last Updated: February 13, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2023/08/23/4 Mailing List,Third Party Advisory
https://github.com/apache/airflow/pull/32052 Patch
https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/08/23/4 Mailing List,Third Party Advisory
https://github.com/apache/airflow/pull/32052 Patch
https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37379, you might also want to check these: