From oss-security  Wed Apr 17 22:19:39 2024
From: Ephraim Anierobi <ephraimanierobi () apache ! org>
Date: Wed, 17 Apr 2024 22:19:39 +0000
To: oss-security
Subject: [oss-security] =?UTF-8?Q?CVE-2024-31869=3A_Apache_Airflow=3A_Sens?= =?UTF-8?Q?itive_configuration_fo
Message-Id: <747a6b7c-6cd3-a027-d0db-7235caa2ea11 () apache ! org>
X-MARC-Message: https://marc.info/?l=oss-security&m=171339278709903

Severity: low

Affected versions:

- Apache Airflow 2.7.0 through 2.8.4

Description:

Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an =
authenticated user to see sensitive provider configuration via the =
"configuration" UI page=C2=A0when "non-sensitive-only" was set as =
"webserver.expose_config" configuration (The celery provider is the only =
community provider currently that has sensitive configurations). You should=
 migrate to Airflow 2.9 or change your "expose_config" configuration to =
False as a workaround. This is similar, but different to  CVE-2023-46288 =
https://github.com/advisories/GHSA-9qqg-mh7c-chfq  which concerned API, not=
 UI configuration page.

Credit:

Manmeet Rangoola (finder)
Jarek Potiuk (remediation developer)

References:

https://github.com/apache/airflow/pull/38795
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=3DCVE-2024-31869