oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-45348: Apache Airflow: Configuration information leakage vulnerability

From: Ephraim Anierobi <ephraimanierobi () apache org>
Date: Fri, 13 Oct 2023 15:14:01 +0000
Severity: important

Affected versions:

- Apache Airflow 2.7.0 before 2.7.2

Description:

Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve 
sensitive configuration information when the "expose_config" option is set to "non-sensitive-only". The `expose_config` 
option is False by default.
It is recommended to upgrade to a version that is not affected.

Credit:

L3yx of Syclover Security Team (finder)
Hussein Awala (remediation developer)

References:

https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-45348
Previous By Date Next
Previous By Thread Next

Current thread: