CVE-2023-48291: 
Apache Airflow vulnerability analysis and mitigation

Apache Airflow versions prior to 2.8.0 contain a security vulnerability (CVE-2023-48291) that allows authenticated users with limited DAG access to craft requests that could grant unauthorized write access to various DAG resources. This vulnerability is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2 (NVD, OSS Security).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The weakness is categorized as CWE-668 (Exposure of Resource to Wrong Sphere). The vulnerability allows authenticated users to bypass access controls and gain write permissions to DAG resources they shouldn't have access to (NVD).

The vulnerability enables authenticated users with limited DAG access to gain unauthorized write access to DAG resources they shouldn't have access to, potentially allowing them to clear DAGs without proper authorization. This impacts the integrity of the DAG management system (OSS Security).

Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability. This version contains the complete fix for both this vulnerability and the related CVE-2023-42792 (NVD, OSS Security).

The vulnerability was discovered by balis0ng, and the remediation was developed by Jarek Potiuk. The fix was implemented through a pull request that ensures consistency in dag_ids passed in requests (OSS Security, GitHub PR).