GitHub Advisory DatabaseGHSA-MJQH-V5F2-G2MWApache Airflow information exposure vulnerability
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
34.6%
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI.
Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| apache-airflow | ge | 0 | |
| apache-airflow | lt | 2.7.1 |
References
github.com/advisories/GHSA-mjqh-v5f2-g2mw
github.com/apache/airflow/commit/4390524a41fdfd2d57f1d2dc98ad7b4009c8399e
github.com/apache/airflow/commit/d9814eb3a2fc1dbbb885a0a2c1b7a23ce1cfa148
github.com/apache/airflow/pull/33512
github.com/apache/airflow/pull/33516
github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-171.yaml
lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts
nvd.nist.gov/vuln/detail/CVE-2023-40712
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
34.6%