Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1tamZmLXd2ODUtaG1jas4AAz7T

High CVSS: 7.1 EPSS: 0.00187% (0.41087 Percentile) EPSS:
Permalink JSON

Apache Airflow vulnerable to exposure of sensitive information

Affected Packages Affected Versions Fixed Versions
pypi:apache-airflow >= 2.5.0, < 2.6.2rc1 2.6.2rc1
314 Dependent packages
1,554 Dependent repositories
15,393,544 Downloads last month

Affected Version Ranges

All affected versions

2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1

All unaffected versions

1.8.1, 1.8.2, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.10.12, 1.10.13, 1.10.14, 1.10.15, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.11.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3

In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations.

This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if [webserver] expose_config is set to non-sensitive-only), and not all uncensored values are actually sentitive.

This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.

References:

Identifiers

GHSA-mjff-wv85-hmcj

CVE-2023-35005

Risk

Severity

High

CVSS

CVSS Score: 7.1

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00187

EPSS Percentile: 0.41087

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/apache/airflow

Date and time

Published

about 2 years ago

Updated

8 months ago

API

JSON