CVE-2023-45348
published 2023-10-14CVE-2023-45348: Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when…
medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when the "expose_config" option is set to "non-sensitive-only". The `expose_config` option is False by default.
It is recommended to upgrade to a version that is not affected.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | airflow | >= 2.4.0 < 2.7.0 | 2.7.0 |
| apache | airflow | >= 2.7.0 < 2.7.2 | 2.7.2 |
| apache_software_foundation | apache_airflow | >= 2.4.0 < 2.7.0 | 2.7.0 |
| apache_software_foundation | apache_airflow | 2.7.0 – 2.8.4 | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
ghsa4.3MEDIUM
osv4.3MEDIUM