Skip to content

Apache Airflow vulnerable to exposure of sensitive information

Moderate severity GitHub Reviewed Published Jun 19, 2023 to the GitHub Advisory Database • Updated Sep 11, 2024

Package

pip apache-airflow (pip)

Affected versions

>= 2.5.0, < 2.6.2rc1

Patched versions

2.6.2rc1

Description

In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations.

This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if [webserver] expose_config is set to non-sensitive-only), and not all uncensored values are actually sentitive.

This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.

References

Published by the National Vulnerability Database Jun 19, 2023
Published to the GitHub Advisory Database Jun 19, 2023
Reviewed Jun 19, 2023
Last updated Sep 11, 2024

Severity

Moderate

EPSS score

0.060%
(27th percentile)

Weaknesses

CVE ID

CVE-2023-35005

GHSA ID

GHSA-mjff-wv85-hmcj

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.