Apache Airflow vulnerable to exposure of sensitive information

GHSA-mjff-wv85-hmcj · BIT-airflow-2023-35005 · CVE-2023-35005 · PYSEC-2023-89

Published Jun 19, 2023 · Modified Nov 22, 2024

Description

In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations.

This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if [webserver] expose_config is set to non-sensitive-only), and not all uncensored values are actually sentitive.

This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-35005
WEB https://github.com/apache/airflow/pull/31788
WEB https://github.com/apache/airflow/pull/31820
WEB https://github.com/apache/airflow/commit/5679a01919ac9d5153e858f8b1390cbc7915f148
WEB https://github.com/apache/airflow/commit/f6cda8fb63250fc4700658999739c1c3c5f6625c
PACKAGE https://github.com/apache/airflow
WEB https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-89.yaml
WEB https://lists.apache.org/thread/o4f2cxh0054m9tlxpb81c1yhylor5gjd

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes