CVE-2023-37379: 
Apache Airflow vulnerability analysis and mitigation

Apache Airflow versions prior to 2.7.0 contain a security vulnerability (CVE-2023-37379) that affects authenticated users with Connection edit privileges. The vulnerability was disclosed on August 23, 2023, and impacts the connection testing functionality of Apache Airflow (OSS Security).

The vulnerability allows authenticated users with Connection edit privileges to access connection information and exploit the test connection feature. The issue stems from the ability to send multiple requests to test connections, which can be leveraged maliciously. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H (NVD).

The vulnerability can lead to multiple security issues: exposure of sensitive connection information, potential denial of service (DoS) condition on the server through multiple request submissions, and the possibility of establishing harmful connections with the server (OSS Security).

Users are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer to address this vulnerability. Additionally, administrators should review and adjust user permissions to restrict access to sensitive functionalities, thereby reducing the attack surface. The fix includes disabling the test connection functionality by default across Airflow UI, API, and CLI, with the option to enable it through configuration settings (GitHub PR).