Lucene search
ApacheCVELIST:CVE-2024-31869HistoryApr 18, 2024 - 7:19 a.m.
CVE-2024-31869 Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used
2024-04-1807:19:05
CWE-200
apache
www.cve.org
apache airflow
vulnerability
sensitive configuration
authenticated user
webserver
ui page
community provider
workaround
cve-2024-31869
api
Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the βconfigurationβ UI pageΒ when βnon-sensitive-onlyβ was set as βwebserver.expose_configβ configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your βexpose_configβ configuration to False as a workaround. This is similar, but different to CVE-2023-46288 https://github.com/advisories/GHSA-9qqg-mh7c-chfq which concerned API, not UI configuration page.
CNA Affected
[
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "apache-airflow",
"product": "Apache Airflow",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.8.4",
"status": "affected",
"version": "2.7.0",
"versionType": "semver"
}
]
}
]Related
github
github
cve
cve
CVE-2024-31869
2024-04-18 08:15:38
CVE-2023-46288
2023-10-23 19:15:11
osv
osv
CVE-2024-31869
2024-04-18 08:15:38
BIT-airflow-2024-31869
2024-04-20 07:16:43
nvd
nvd
CVE-2024-31869
2024-04-18 08:15:38
CVE-2023-46288
2023-10-23 19:15:11
veracode
veracode
Information Exposure
2024-04-21 18:00:35
Information Disclosure
2023-10-26 07:10:11
cnvd
cnvd
Apache Airflow Information Disclosure Vulnerability (CNVD-2023-85609)
2023-10-26 00:00:00
cvelist
cvelist
prion
prion
Default configuration
2023-10-23 19:15:00