Apache Airflow vulnerable to exposure of sensitive information

2023-06-1909:30:17

Google

osv.dev

apache airflow

sensitive information

exposure

vulnerability

configuration

update

software

2.5.0

2.6.2

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

25.9%

JSON

In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations.

This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if [webserver] expose_config is set to non-sensitive-only), and not all uncensored values are actually sentitive.

This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.

CPENameOperatorVersion
apache-airfloweq2.5.0
apache-airfloweq2.6.1rc2
apache-airfloweq2.5.1rc1
apache-airfloweq2.6.1rc3
apache-airfloweq2.6.0rc1
apache-airfloweq2.6.0rc3
apache-airfloweq2.6.0rc2
apache-airfloweq2.6.0b1
apache-airfloweq2.5.1
apache-airfloweq2.5.2rc2

Name	Operator	Version
apache-airflow	eq	2.5.0
apache-airflow	eq	2.6.1rc2
apache-airflow	eq	2.5.1rc1
apache-airflow	eq	2.6.1rc3
apache-airflow	eq	2.6.0rc1
apache-airflow	eq	2.6.0rc3
apache-airflow	eq	2.6.0rc2
apache-airflow	eq	2.6.0b1
apache-airflow	eq	2.5.1
apache-airflow	eq	2.5.2rc2