CVE-2023-49920: 
Apache Airflow vulnerability analysis and mitigation

Apache Airflow versions 2.7.0 through 2.7.3 were discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability. The issue was disclosed on December 21, 2023, and affects the DAG trigger functionality in the Airflow UI. This vulnerability is tracked as CVE-2023-49920 and has been assigned a CVSS v3.1 base score of 6.5 (Medium) (NVD).

The vulnerability stems from a missing CSRF protection mechanism on the DAG trigger endpoint, which allows triggering a DAG through a GET request without proper CSRF validation. The issue is classified as CWE-352 (Cross-Site Request Forgery). The vulnerability has a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD).

When exploited, this vulnerability allows a malicious website opened in the same browser where a user has an active Airflow UI session to trigger the execution of DAGs without the user's consent. This could lead to unauthorized DAG executions and potential workflow disruptions (Openwall).

Users are advised to upgrade to Apache Airflow version 2.8.0 or later, which includes the fix for this vulnerability. The fix involves changing the trigger UI to use HTTP POST instead of GET requests, ensuring proper CSRF protection (GitHub PR).