5 matches found
Insertion of Sensitive Information Into Sent Data
Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the handling of rendered template fields when the length exceeds the configured maximum, causing nested sensitive keys within JSON structures to be stringified before redaction and...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the str.lstrip function used for validating JWT tokens against Dag IDs. An attacker can gain unauthorized access to other Dags' log data by crafting JWT tokens that exploit character overlap in Dag names. Note...
Insertion of Sensitive Information Into Sent Data
Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the /api/v2/connections/connectionid REST API endpoint. An attacker can access sensitive credential information stored in the extra JSON blob by making authenticated requests with...
Incorrect Permission Assignment for Critical Resource
Overview Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource in the DagVersion listing API when the dagid parameter is set to "". An attacker can obtain unauthorized metadata about DAGs by sending a request with a wildcard value, bypassing...
Incorrect Use of Privileged APIs
Overview Affected versions of this package are vulnerable to Incorrect Use of Privileged APIs via insufficient permission checks in the getlog function. An authenticated user without log-viewing permissions can still access task execution logs containing sensitive operational data, debugging...