Main Vulnerability Database SB2024012516

SB2024012516 - Information disclosure in Apache Airflow and Apache Airflow CNCF Kubernetes provider

Published: January 25, 2024

Security Bulletin ID SB2024012516

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2023-51702)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to Airflow worker serializes Kubernetes configuration file for authentication as a dictionary and sends it to the triggerer by storing it in metadata without any encryption. A local user can read the log files and gain access to sensitive data.

Remediation

Install update from vendor's website.

References

https://github.com/apache/airflow/pull/29498
https://github.com/apache/airflow/pull/30110
https://github.com/apache/airflow/pull/36492
https://lists.apache.org/thread/89x3q6lz5pykrkr1fkr04k4rfn9pvnv9
http://www.openwall.com/lists/oss-security/2024/01/24/3