Lucene search

GitHub Advisory DatabaseGHSA-MJFF-WV85-HMCJ

HistoryJun 19, 2023 - 9:30 a.m.

Apache Airflow vulnerable to exposure of sensitive information

2023-06-1909:30:17

CWE-200

GitHub Advisory Database

github.com

apache airflow

sensitive information

vulnerability

configuration

update

software

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

25.9%

JSON

In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations.

This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if [webserver] expose_config is set to non-sensitive-only), and not all uncensored values are actually sentitive.

This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.

Affected configurations

Vulners

Node

apacheairflowRange<2.6.2

CPENameOperatorVersion
apache-airflowlt2.6.2

CPE	Name	Operator	Version
	apache-airflow	lt	2.6.2

References

github.com/advisories/GHSA-mjff-wv85-hmcj

github.com/apache/airflow/pull/31788

github.com/apache/airflow/pull/31820

github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-89.yaml

lists.apache.org/thread/o4f2cxh0054m9tlxpb81c1yhylor5gjd

nvd.nist.gov/vuln/detail/CVE-2023-35005

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

25.9%

JSON

Related for GHSA-MJFF-WV85-HMCJ