Lucene search

Veracode Vulnerability DatabaseVERACODE:46550

HistoryApr 21, 2024 - 6:00 p.m.

Information Exposure

2024-04-2118:00:35

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

apache airflow

information exposure

configuration

vulnerability

webserver

sensitive data

exploit

attack

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.1%

JSON

apache-airflow is vulnerable to Information Exposure. The vulnerability is due a flaw in the “configuration” UI page when “non-sensitive-only” was set as webserver.expose_config configuration. An attacker can exploit this vulnerability by sending a specially crafted request to see sensitive provider configuration and use this information to launch further attacks against the system.

CPENameOperatorVersion
apache-airflowle2.8.4
apache-airflowle2.8.4

CPE	Name	Operator	Version
	apache-airflow	le	2.8.4
	apache-airflow	le	2.8.4

References

www.openwall.com/lists/oss-security/2024/04/17/10

github.com/apache/airflow/commit/042c2acaed7c01933d37c2f8434640ce140a4b27

github.com/apache/airflow/commit/a3eb5f73d617b7482fdcc81a888e3599f1f63d75

github.com/apache/airflow/pull/38795

lists.apache.org/thread/pz6vg7wcjk901rmsgt86h76g6kfcgtk3