CVE-2023-51702Cleartext Storage of Sensitive Info in Software Foundation Apache Airflow

CWE-312Cleartext Storage of Sensitive InfoCWE-532Log File Information Exposure4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 80.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Apache Software Foundation Apache AirflowApache Software Foundation Apache Airflow Cncf Kubernetes ProviderApache Airflow+1 more
Timeline
PublishedJan 24

Description

Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metadata without any encryption. Additionally, if used with an Airflow version between 2.3.0 and 2.6.0, the configuration dictionary will be logged as plain text in the triggerer service without masking. This allows anyone with access to the metadata or triggerer lo

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

NVDapache/airflow_cncf_kubernetes5.2.07.0.0
NVDapache/airflow2.3.02.6.1

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service2024-01-24
CVEList
Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service2024-01-24
OSV
Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service2024-01-24
CVE-2023-51702 — Cleartext Storage of Sensitive Info | cvebase