Information disclosure in Apache Airflow
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2022-27949 |
| CWE-ID | CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Apache Airflow Web applications / Modules and components for CMS |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU69472
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-27949
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to the way the Apache Airflow UI displays sensitive information. A remote user can view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed).
Install updates from vendor's website.
Vulnerable software versionsApache Airflow: 2.0.0 - 2.3.0
External linkshttp://github.com/apache/airflow/pull/22754
http://lists.apache.org/thread/n38oc5obb48600fsvnbopxcs0jpbp65p
http://www.openwall.com/lists/oss-security/2022/11/14/3
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
