CVE-2025-62503

MEDIUM4.6EPSS 0.23%

Apache Airflow: Privilege boundary bypass in bulk APIs (create action can upsert existing Pools/Connections/Variables)

發布日:2025/10/30修改日:2025/11/6

也稱為:GHSA-gp5f-cx7h-8q6fBIT-airflow-2025-62503

描述

User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.

受影響套件(2)

Bitnami/airflow>= 3.0.0, < 3.1.1
PyPI/apache-airflow>= 3.0.0, < 3.1.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

參考連結(5)