Apache Airflow subject to Exposure of Sensitive Information

GHSA-fvw2-2pf7-77vw · BIT-airflow-2022-27949 · CVE-2022-27949 · PYSEC-2022-42981

Published Nov 14, 2022 · Modified May 1, 2025

Description

A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-27949
WEB https://github.com/apache/airflow/pull/22754
WEB https://github.com/apache/airflow/commit/09be0c5c7e847dda1d0be5776f8d5e327ff2281a
WEB https://github.com/apache/airflow/commit/1cbb0ad26dd17f218c6ab1c2ae59b262c443a443
PACKAGE https://github.com/apache/airflow
WEB https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-42981.yaml
WEB https://lists.apache.org/thread/n38oc5obb48600fsvnbopxcs0jpbp65p
WEB http://www.openwall.com/lists/oss-security/2022/11/14/3

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes