CVE-2023-35005

CWE-200 — Information Exposure5 documents4 sources

Severity

6.5MEDIUM

EPSS

0.2%

top 56.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedJun 19

Description

In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored values are actually sentitive. This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/airflow2.5.0 — 2.6.2

▶PyPIapache-airflow2.5.0 — 2.6.2rc1+1

▶CVEListV5apache_software_foundation/apache_airflow2.5.0 — 2.6.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Apache Airflow vulnerable to exposure of sensitive information↗2023-06-19

▶

OSV

CVE-2023-35005: In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations↗2023-06-19

▶

GHSA

Apache Airflow vulnerable to exposure of sensitive information↗2023-06-19

▶

CVEList

Apache Airflow: Information disclosure on configuration view↗2023-06-19

▶