Lucene search
GitHub Advisory DatabaseGHSA-2522-MRJC-M688HistoryApr 18, 2024 - 9:30 a.m.
Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used
2024-04-1809:30:44
CWE-200
GitHub Advisory Database
github.com
9
apache airflow
vulnerability
authenticated user
provider configuration
ui
non-sensitive-only
airflow 2.9
cve-2023-46288
Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the βconfigurationβ UI pageΒ when βnon-sensitive-onlyβ was set as βwebserver.expose_configβ configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your βexpose_configβ configuration to False as a workaround. This is similar, but different to CVE-2023-46288 https://github.com/advisories/GHSA-9qqg-mh7c-chfq which concerned API, not UI configuration page.
| CPE | Name | Operator | Version |
|---|---|---|---|
| apache-airflow | lt | 2.9.0 |
References
Related
osv
osv
CVE-2024-31869
2024-04-18 08:15:38
Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used
2024-04-18 09:30:44
BIT-airflow-2024-31869
2024-04-20 07:16:43
cvelist
cvelist
cve
cve
CVE-2024-31869
2024-04-18 08:15:38
CVE-2023-46288
2023-10-23 19:15:11
veracode
veracode
Information Exposure
2024-04-21 18:00:35
Information Disclosure
2023-10-26 07:10:11
cnvd
cnvd
Apache Airflow Information Disclosure Vulnerability (CNVD-2023-85609)
2023-10-26 00:00:00
github
github
Apache Airflow vulnerable to Exposure of Sensitive Information
2023-10-23 21:30:58
prion
prion
Default configuration
2023-10-23 19:15:00