Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02NjZnLXJmYzUtYzlqds4AA2wn
Apache Airflow Celery provider Insertion of Sensitive Information into Log File vulnerability
Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow.
Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend
Note: the vulnerability is about the information exposed in the logs not about accessing the logs.
This issue affects Apache Airflow Celery provider: from 3.3.0 through 3.4.0; Apache Airflow: from 1.10.0 through 2.6.3.
Users are recommended to upgrade Airflow Celery provider to version 3.4.1 and Apache Airlfow to version 2.7.0 which fixes the issue.
Permalink: https://github.com/advisories/GHSA-666g-rfc5-c9jvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NjZnLXJmYzUtYzlqds4AA2wn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 6 months ago
Updated: 6 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-666g-rfc5-c9jv, CVE-2023-46215
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-46215
- https://github.com/apache/airflow/pull/34954
- https://lists.apache.org/thread/wm1jfmks7r6m7bj0mq4lmw3998svn46n
- http://www.openwall.com/lists/oss-security/2023/10/28/1
- https://github.com/advisories/GHSA-666g-rfc5-c9jv
Blast Radius: 23.9
Affected Packages
pypi:apache-airflow
Dependent packages: 265Dependent repositories: 1,554
Downloads: 23,800,308 last month
Affected Version Ranges: >= 1.10.0, < 2.7.0
Fixed in: 2.7.0
All affected versions: 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.10.12, 1.10.13, 1.10.14, 1.10.15, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3
All unaffected versions: 1.8.1, 1.8.2, 1.9.0, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0
pypi:apache-airflow-providers-celery
Dependent packages: 6Dependent repositories: 69
Downloads: 616,842 last month
Affected Version Ranges: >= 3.3.0, < 3.4.1
Fixed in: 3.4.1
All affected versions: 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0
All unaffected versions: 1.0.0, 1.0.1, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 3.0.0, 3.1.0, 3.2.0, 3.2.1, 3.4.1, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.6.2