oss-sec mailing list archives

CVE-2020-17511: Apache Airflow Admin password gets logged in plain text

From: Kaxil Naik <kaxilnaik () apache org>
Date: Fri, 11 Dec 2020 13:39:06 +0000

Versions Affected: < 1.10.13

Description:
In Airflow < 1.10.13, when creating a user using airflow CLI, the password
gets logged in plain text in the Log table in Airflow Metadatase. Same
happened when creating a Connection with a password field.

Credit:
Ali Al-Habsi of Accellion

Thanks,
Kaxil,
on behalf of Apache Airflow PMC

Current thread:

CVE-2020-17511: Apache Airflow Admin password gets logged in plain text Kaxil Naik (Dec 11)