[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] =?UTF-8?Q?CVE-2023-46288=3A_Apache_Airflow=3A_Sens?= =?UTF-8?Q?itive_parameters_expos
From:       Jarek Potiuk <potiuk () apache ! org>
Date:       2023-10-23 15:38:43
Message-ID: bd530d8e-f453-71e6-6645-029ae552fa3d () apache ! org
[Download RAW message or body]

Severity: low

Affected versions:

- Apache Airflow 2.4.0 before 2.7.0

Description:

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This \
issue affects Apache Airflow from 2.4.0 to 2.7.0.

Sensitive configuration information has been exposed to authenticated users with the ability to \
read configuration via Airflow REST API for configuration even when the expose_config  option \
is set to non-sensitive-only. The expose_config option is False by default. It is recommended \
to upgrade to a version that is not affected if you set expose_config  to non-sensitive-only  \
configuration. This is a different error than CVE-2023-45348  which allows authenticated user \
to retrieve individual configuration values in 2.7.* by specially crafting their request \
(solved in 2.7.2).

Users are recommended to upgrade to version 2.7.2, which fixes the issue and additionally fixes \
CVE-2023-45348.

Credit:

id_No2015429 of 3H Secruity Team (finder)
Lee, Wei (finder)
Lee, Wei (remediation developer)

References:

https://github.com/apache/airflow/pull/32261
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-46288


[prev in list] [next in list] [prev in thread] [next in thread]