[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-35005: Apache Airflow: Information disclosure on configuration view
From: Elad Kalif <eladkal () apache ! org>
Date: 2023-06-18 13:48:36
Message-ID: 9d0fbd7b-9a2c-ea9c-7c19-66f696291519 () apache ! org
[Download RAW message or body]
Severity: low
Affected versions:
- Apache Airflow 2.5.0 before 2.6.2
Description:
In Apache Airflow, some potentially sensitive values were being shown to the user in certain \
situations.
This vulnerability is mitigated by the fact configuration is not shown in the UI by default \
(only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored \
values are actually sentitive.
This issue affects Apache Airflow: from 2.5.0 before 2.6.2.
Credit:
Piotr Chomiak from Astro product security team (finder)
References:
https://github.com/apache/airflow/pull/31788
https://github.com/apache/airflow/pull/31820
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-35005
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic