[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] =?UTF-8?Q?CVE-2023-46288=3A_Apache_Airflow=3A_Sens?= =?UTF-8?Q?itive_parameters_expos
From: Jarek Potiuk <potiuk () apache ! org>
Date: 2023-10-23 15:38:43
Message-ID: bd530d8e-f453-71e6-6645-029ae552fa3d () apache ! org
[Download RAW message or body]
Severity: low
Affected versions:
- Apache Airflow 2.4.0 before 2.7.0
Description:
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This \
issue affects Apache Airflow from 2.4.0 to 2.7.0.
Sensitive configuration information has been exposed to authenticated users with the ability to \
read configuration via Airflow REST API for configuration even when the expose_config option \
is set to non-sensitive-only. The expose_config option is False by default. It is recommended \
to upgrade to a version that is not affected if you set expose_config to non-sensitive-only \
configuration. This is a different error than CVE-2023-45348 which allows authenticated user \
to retrieve individual configuration values in 2.7.* by specially crafting their request \
(solved in 2.7.2).
Users are recommended to upgrade to version 2.7.2, which fixes the issue and additionally fixes \
CVE-2023-45348.
Credit:
id_No2015429 of 3H Secruity Team (finder)
Lee, Wei (finder)
Lee, Wei (remediation developer)
References:
https://github.com/apache/airflow/pull/32261
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-46288
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic