oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2024-50378: Apache Airflow: Secrets not masked in UI when sensitive variables are set via Airflow cli

From: Ephraim Anierobi <ephraimanierobi () apache org>
Date: Fri, 08 Nov 2024 14:19:33 +0000
Severity: low

Affected versions:

- Apache Airflow before 2.10.3

Description:

Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see 
sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of 
those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is 
limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which 
addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with 
those variables from the log table.

Credit:

Saurabh Banawar (finder)
Shubham Raj (remediation developer)

References:

https://github.com/apache/airflow/pull/43123
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-50378
Previous By Date Next
Previous By Thread Next

Current thread: