Information disclosure in Apache Airflow - CVE-2022-27949

 

Information disclosure in Apache Airflow - CVE-2022-27949

Published: November 22, 2022


Vulnerability identifier: #VU69472
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-27949
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Airflow

Detailed vulnerability description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to the way the Apache Airflow UI displays sensitive information. A remote user can view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed).


How to mitigate CVE-2022-27949

Install updates from vendor's website.

Sources