Main Vulnerability Database Vulnerabilities #VU69472

#VU69472 Information disclosure in Apache Airflow - CVE-2022-27949

Published: November 22, 2022

Vulnerability identifier: #VU69472

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-27949

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache Airflow

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to the way the Apache Airflow UI displays sensitive information. A remote user can view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed).

Remediation

Install updates from vendor's website.

External links

https://github.com/apache/airflow/pull/22754
https://lists.apache.org/thread/n38oc5obb48600fsvnbopxcs0jpbp65p
http://www.openwall.com/lists/oss-security/2022/11/14/3