Lucene search

[email protected]NVD:CVE-2023-35005

HistoryJun 19, 2023 - 9:15 a.m.

CVE-2023-35005

2023-06-1909:15:09

CWE-200

[email protected]

web.nvd.nist.gov

apache airflow

vulnerability

sensitive values

exposure

configuration

update

cve-2023-35005

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

25.9%

JSON

In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations.

This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if [webserver] expose_config is set to non-sensitive-only), and not all uncensored values are actually sentitive.

This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.

Affected configurations

NVD

Node

apacheairflowRange2.5.0–2.6.2

References

github.com/apache/airflow/pull/31788

github.com/apache/airflow/pull/31820

lists.apache.org/thread/o4f2cxh0054m9tlxpb81c1yhylor5gjd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

25.9%

JSON

Related for NVD:CVE-2023-35005

osv4 veracode1 cnvd1 cvelist1 cve1 prion1 github1