Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when the “expose_config” option is set to “non-sensitive-only”. The expose_config
option is False by default.
It is recommended to upgrade to a version that is not affected.
[
{
"collectionURL": "https://pypi.python.org/",
"defaultStatus": "unaffected",
"packageName": "apache-airflow",
"product": "Apache Airflow",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.7.2",
"status": "affected",
"version": "2.7.0",
"versionType": "semver"
}
]
}
]