Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00NmMzLTV4YzUtd3dods4ABBYW
Apache Airflow: Sensitive configuration values are not masked in the logs by default
Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.
Permalink: https://github.com/advisories/GHSA-46c3-5xc5-wwhvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00NmMzLTV4YzUtd3dods4ABBYW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 6 days ago
Updated: 5 days ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-46c3-5xc5-wwhv, CVE-2024-45784
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-45784
- https://github.com/apache/airflow/pull/43040
- https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h
- https://github.com/advisories/GHSA-46c3-5xc5-wwhv
Blast Radius: 14.1
Affected Packages
pypi:airflow
Dependent packages: 2Dependent repositories: 75
Downloads: 49,198 last month
Affected Version Ranges: < 2.10.3
Fixed in: 2.10.3
All affected versions:
All unaffected versions: