Lucene search
HistoryApr 18, 2024 - 8:15 a.m.
CVE-2024-31869
airflow
vulnerability
ui
configuration
cve-2024-31869
authenticated user
sensitive provider
webserver configuration
expose_config
airflow 2.9
workaround
Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the βconfigurationβ UI pageΒ when βnon-sensitive-onlyβ was set as βwebserver.expose_configβ configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your βexpose_configβ configuration to False as a workaround. This is similar, but different to CVE-2023-46288 https://github.com/advisories/GHSA-9qqg-mh7c-chfq which concerned API, not UI configuration page.
Related
osv
osv
CVE-2024-31869
2024-04-18 08:15:38
Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used
2024-04-18 09:30:44
BIT-airflow-2024-31869
2024-04-20 07:16:43
cvelist
cvelist
github
github
veracode
veracode
Information Exposure
2024-04-21 18:00:35
Information Disclosure
2023-10-26 07:10:11
cnvd
cnvd
Apache Airflow Information Disclosure Vulnerability (CNVD-2023-85609)
2023-10-26 00:00:00
prion
prion
Default configuration
2023-10-23 19:15:00
cve
cve
CVE-2023-46288
2023-10-23 19:15:11