CVE-2023-45348

2023-10-1410:15:10

Google

osv.dev

cve-2023-45348

apache airflow

sensitive configuration

authenticated user

expose_config option

non-sensitive-only

upgrade

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

6.5 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

19.1%

JSON

Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when the “expose_config” option is set to “non-sensitive-only”. The expose_config option is False by default.
It is recommended to upgrade to a version that is not affected.

CPENameOperatorVersion
airfloweqproviders-microsoft-azure/5.2.0
airfloweqproviders-yandex/3.2.0rc3
airfloweqproviders-fab/1.0.1
airfloweqproviders-mongo/3.2.1rc1
airfloweqproviders-microsoft-azure/6.2.0rc1
airfloweqproviders-apache-hive/6.2.0rc1
airfloweqproviders-microsoft-mssql/3.7.0
airfloweqproviders-alibaba/2.5.2rc1
airfloweqproviders-google/10.11.1rc1
airfloweqproviders-qubole/3.4.3

Name	Operator	Version
airflow	eq	providers-microsoft-azure/5.2.0
airflow	eq	providers-yandex/3.2.0rc3
airflow	eq	providers-fab/1.0.1
airflow	eq	providers-mongo/3.2.1rc1
airflow	eq	providers-microsoft-azure/6.2.0rc1
airflow	eq	providers-apache-hive/6.2.0rc1
airflow	eq	providers-microsoft-mssql/3.7.0
airflow	eq	providers-alibaba/2.5.2rc1
airflow	eq	providers-google/10.11.1rc1
airflow	eq	providers-qubole/3.4.3