CVE-2023-35005

2023-06-1909:15:09

Google

osv.dev

apache airflow

sensitivity values

configuration

update

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.0%

JSON

In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations.

This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if [webserver] expose_config is set to non-sensitive-only), and not all uncensored values are actually sentitive.

This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.

CPENameOperatorVersion
airfloweqproviders-microsoft-azure/5.2.0
airfloweqproviders-yandex/3.2.0rc3
airfloweqproviders-fab/1.0.1
airfloweqproviders-mongo/3.2.1rc1
airfloweqproviders-microsoft-azure/6.2.0rc1
airfloweqproviders-apache-hive/6.2.0rc1
airfloweqproviders-microsoft-mssql/3.7.0
airfloweqproviders-tableau/2.1.7
airfloweqproviders-alibaba/2.5.2rc1
airfloweqproviders-google/10.11.1rc1

Name	Operator	Version
airflow	eq	providers-microsoft-azure/5.2.0
airflow	eq	providers-yandex/3.2.0rc3
airflow	eq	providers-fab/1.0.1
airflow	eq	providers-mongo/3.2.1rc1
airflow	eq	providers-microsoft-azure/6.2.0rc1
airflow	eq	providers-apache-hive/6.2.0rc1
airflow	eq	providers-microsoft-mssql/3.7.0
airflow	eq	providers-tableau/2.1.7
airflow	eq	providers-alibaba/2.5.2rc1
airflow	eq	providers-google/10.11.1rc1