Summary
Amazon Managed Workflows for Apache Airflow (MWAA) and the Task instance details
page in the Google Composer UI were not patched against CVE-2023-29247 (Stored XSS).
This meant that post-authentication, a threat actor could have exploited this
to store their JavaScript payload in the victim's managed Apache Airflow instance
and run JavaScript on behalf of the victim (who could be an admin or another
user with higher permissions than the threat actor, thereby leading to privilege escalation).
With JavaScript, threat actors could have run any operation in the session that the victim
is able to run — edit tasks, read jobs, run jobs, read plugins and configurations,
list connections, add variables and more.
Affected Services
MWAA, Composer
Remediation
AWS users should update their instances via the AWS Console.
GCP users should take steps to update their Cloud Composer versions to 2.4.2 or later.
Tracked CVEs
CVE-2023-29247
References
https://www.tenable.com/blog/apatchme-authenticated-stored-xss-vulnerability-in-aws-and-gcp-apache-airflow-serviceshttps://cloud.google.com/composer/docs/known-issues#cve-2023-29247
Contributed by https://github.com/ramimac
Disclosure Date
Thu, Nov 2nd, 2023
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Liv Matan, Tenable
