CVE-2023-45348 — Sensitive Information Exposure in Software Foundation Apache Airflow

CWE-200 — Sensitive Information Exposure6 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 36.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedOct 14

Latest updateOct 23

Description

Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when the "expose_config" option is set to "non-sensitive-only". The `expose_config` option is False by default. It is recommended to upgrade to a version that is not affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDapache/airflow2.7.0 — 2.7.2

▶CVEListV5apache_software_foundation/apache_airflow2.7.0 — 2.7.2+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Apache Airflow vulnerable to Exposure of Sensitive Information↗2023-10-23

▶

OSV

CVE-2023-45348: Apache Airflow, versions 2↗2023-10-14

▶

OSV

Apache Airflow vulnerable to sensitive information exposure when expose-config is set to non-sensitive-only↗2023-10-14

▶

CVEList

Apache Airflow: Configuration information leakage vulnerability↗2023-10-14

▶

GHSA

Apache Airflow vulnerable to sensitive information exposure when expose-config is set to non-sensitive-only↗2023-10-14

▶