CVE-2024-45784

CWE-12956 documents5 sources

Severity

7.5HIGH

EPSS

1.1%

top 22.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedNov 15

Latest updateDec 30

Description

Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables fr…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDapache/airflow< 2.10.3

▶PyPIapache-airflow< 2.10.3

▶CVEListV5apache_software_foundation/apache_airflow< 2.10.3

▶PyPIairflow< 2.10.3

🔴Vulnerability Details

GHSA

Apache Airflow: Sensitive configuration values are not masked in the logs by default↗2024-11-15

▶

OSV

Apache Airflow: Sensitive configuration values are not masked in the logs by default↗2024-11-15

▶

CVEList

Apache Airflow: Sensitive configuration values are not masked in the logs by default↗2024-11-15

▶

OSV

CVE-2024-45784: Apache Airflow versions before 2↗2024-11-15

▶

💬Community

HackerOne

Apache Airflow: Sensitive Information Exposure in DAG Run Logs↗2024-12-30

▶