Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table.
Metrics
Affected Vendors & Products
References
History
Fri, 22 Nov 2024 12:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Fri, 08 Nov 2024 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
cvssV3_1
|
Fri, 08 Nov 2024 14:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table. | |
Title | Apache Airflow: Secrets not masked in UI when sensitive variables are set via Airflow cli | |
Weaknesses | CWE-201 | |
References |
|
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2024-11-08T14:37:09.699Z
Updated: 2024-11-08T19:02:35.081Z
Reserved: 2024-10-23T08:55:38.660Z
Link: CVE-2024-50378
Vulnrichment
Updated: 2024-11-08T19:02:35.081Z
NVD
Status : Awaiting Analysis
Published: 2024-11-08T15:15:06.143
Modified: 2024-11-21T09:44:35.040
Link: CVE-2024-50378
Redhat
No data.