Lucene search
ApacheVULNRICHMENT:CVE-2024-31869HistoryApr 18, 2024 - 7:19 a.m.
CVE-2024-31869 Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used
2024-04-1807:19:05
CWE-200
apache
github.com
6
apache airflow
sensitive configuration
vulnerability
authenticated user
ui page
workaround
celery provider
Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the βconfigurationβ UI pageΒ when βnon-sensitive-onlyβ was set as βwebserver.expose_configβ configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your βexpose_configβ configuration to False as a workaround. This is similar, but different to CVE-2023-46288 https://github.com/advisories/GHSA-9qqg-mh7c-chfq which concerned API, not UI configuration page.
CNA Affected
[
{
"vendor": "Apache Software Foundation",
"product": "Apache Airflow",
"versions": [
{
"status": "affected",
"version": "2.7.0",
"versionType": "semver",
"lessThanOrEqual": "2.8.4"
}
],
"packageName": "apache-airflow",
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected"
}
]Related
osv
osv
CVE-2024-31869
2024-04-18 08:15:38
BIT-airflow-2024-31869
2024-04-20 07:16:43
cvelist
cvelist
nvd
nvd
CVE-2024-31869
2024-04-18 08:15:38
CVE-2023-46288
2023-10-23 19:15:11
github
github
cve
cve
CVE-2024-31869
2024-04-18 08:15:38
CVE-2023-46288
2023-10-23 19:15:11
veracode
veracode
Information Exposure
2024-04-21 18:00:35
Information Disclosure
2023-10-26 07:10:11
cnvd
cnvd
Apache Airflow Information Disclosure Vulnerability (CNVD-2023-85609)
2023-10-26 00:00:00
vulnrichment
vulnrichment
prion
prion
Default configuration
2023-10-23 19:15:00
AI Score
6.3
Confidence
Low
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
Related for VULNRICHMENT:CVE-2024-31869