CVE-2023-40712 – apache-airflow

Package

Manager: pip
Name: apache-airflow
Vulnerable Version: >=0 <2.7.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00125 pctl0.32476

Details

Apache Airflow information exposure vulnerability Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.

Metadata

Created: 2023-09-12T19:25:08Z
Modified: 2024-11-18T16:26:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-mjqh-v5f2-g2mw/GHSA-mjqh-v5f2-g2mw.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-mjqh-v5f2-g2mw
Finding: F038
Auto approve: 1