[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-35005: Apache Airflow: Information disclosure on configuration view
From:       Elad Kalif <eladkal () apache ! org>
Date:       2023-06-18 13:48:36
Message-ID: 9d0fbd7b-9a2c-ea9c-7c19-66f696291519 () apache ! org
[Download RAW message or body]

Severity: low

Affected versions:

- Apache Airflow 2.5.0 before 2.6.2

Description:

In Apache Airflow, some potentially sensitive values were being shown to the user in certain \
situations.








This vulnerability is mitigated by the fact configuration is not shown in the UI by default \
(only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored \
values are actually sentitive.





This issue affects Apache Airflow: from 2.5.0 before 2.6.2.

Credit:

Piotr Chomiak from Astro product security team (finder)

References:

https://github.com/apache/airflow/pull/31788
https://github.com/apache/airflow/pull/31820
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-35005


[prev in list] [next in list] [prev in thread] [next in thread]