#VU100210 Inclusion of Sensitive Information in Log Files in Apache Airflow - CVE-2024-50378

Cybersecurity Help s.r.o.

Published: 2024-11-11

Vulnerability identifier: #VU100210

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-50378

CWE-ID: CWE-532

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Airflow
Web applications / Modules and components for CMS

Vendor: Apache Foundation

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files, when sensitive variables were set via airflow CLI. A remote user with audit log access can the audit log and gain access to sensitive data.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Airflow: 2.0.0 - 2.10.2

External links
https://github.com/apache/airflow/pull/43123
https://lists.apache.org/thread/q6rctpqh5z27l6tx4wgkxdcltmvtx6kd

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Apache Airflow