CVE-2023-49920: Apache Airflow: Missing CSRF protection on DAG/trigger

During my testing, I've found that there is no CSRF protection in dag/trigger. If a user is logged in to his airflow account & has the permission to trigger a dag then an attacker can trick the user to run a dag unintentionally by the user. Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent. Users are advised to upgrade to version 2.8.0 or later which is not affected ## Details: https://lists.apache.org/thread/mnwd2vcfw3gms6ft6kl951vfbqrxsnjq ## Email form the project maintainer ███████ Regards, @0xt4req ## Impact It was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent