CVE-2022-27949Sensitive Information Exposure in Software Foundation Apache Airflow

CWE-200Sensitive Information Exposure5 documents4 sources
Severity
7.5HIGHNVD
EPSS
1.6%
top 18.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache AirflowApache Airflow
Timeline
PublishedNov 14

Description

A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDapache/airflow< 2.3.1
CVEListV5apache_software_foundation/apache_airflowunspecified2.3.1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
CVE-2022-27949: A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for2022-11-14
CVEList
Apache Airflow prior to 2.3.1 may include sensitive values in rendered template2022-11-14
GHSA
Apache Airflow subject to Exposure of Sensitive Information2022-11-14
OSV
Apache Airflow subject to Exposure of Sensitive Information2022-11-14
CVE-2022-27949 — Sensitive Information Exposure | cvebase