CVE-2023-40712 — Sensitive Information Exposure in Software Foundation Apache Airflow

CWE-200 — Sensitive Information Exposure5 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 66.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedSep 12

Description

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/airflow< 2.7.1

▶CVEListV5apache_software_foundation/apache_airflow< 2.7.1

🔴Vulnerability Details

OSV

CVE-2023-40712: Apache Airflow, versions before 2↗2023-09-12

▶

CVEList

Apache Airflow: Secrets can be unmasked in the "Rendered Template"↗2023-09-12

▶

OSV

Apache Airflow information exposure vulnerability↗2023-09-12

▶

GHSA

Apache Airflow information exposure vulnerability↗2023-09-12

▶