Lucene search
GoogleOSV:BIT-AIRFLOW-2024-31869HistoryApr 20, 2024 - 7:16 a.m.
BIT-airflow-2024-31869
2024-04-2007:16:43
Google
osv.dev
6
airflow
vulnerability
provider configuration
authentication
ui
community provider
workaround
migration
cve-2023-46288
Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the βconfigurationβ UI pageΒ when βnon-sensitive-onlyβ was set as βwebserver.expose_configβ configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your βexpose_configβ configuration to False as a workaround. This is similar, but different to CVE-2023-46288 https://github.com/advisories/GHSA-9qqg-mh7c-chfq which concerned API, not UI configuration page.
Related
osv
osv
CVE-2024-31869
2024-04-18 08:15:38
Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used
2024-04-18 09:30:44
BIT-2023-46288
2023-10-29 07:16:49
cvelist
cvelist
cve
cve
CVE-2024-31869
2024-04-18 08:15:38
CVE-2023-46288
2023-10-23 19:15:11
github
github
veracode
veracode
Information Exposure
2024-04-21 18:00:35
Information Disclosure
2023-10-26 07:10:11
cnvd
cnvd
Apache Airflow Information Disclosure Vulnerability (CNVD-2023-85609)
2023-10-26 00:00:00
prion
prion
Default configuration
2023-10-23 19:15:00
6.7 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
17.8%
Related for OSV:BIT-AIRFLOW-2024-31869