CVE-2023-22887: 
Apache Airflow vulnerability analysis and mitigation

Apache Airflow versions before 2.6.3 contained a path traversal vulnerability (CVE-2023-22887) that allowed authenticated users to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. The vulnerability was discovered and disclosed in July 2023 (NVD).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3.1 base score of 6.5 (Medium). The attack vector is network-based, requires low attack complexity and low privileges, but no user interaction. The scope is unchanged, with high confidentiality impact but no impact on integrity or availability (NVD).

The vulnerability allows authenticated attackers to access files outside the intended directory structure through path traversal manipulation of the run_id parameter. While the impact is considered low since it requires authentication, successful exploitation could lead to unauthorized access to sensitive files on the system (Apache Mailing List).

The vulnerability was fixed in Apache Airflow version 2.6.3 by introducing a configurable option to sanitize the DagRun.runid parameter. The fix includes a pattern validation mechanism that allows users to specify acceptable runid patterns while maintaining stricter control over the values used. Users are strongly recommended to upgrade to version 2.6.3 or later (GitHub PR).