CVE-2024-50378Sensitive Info Insertion into Sent Data in Software Foundation Apache Airflow

CWE-201Sensitive Info Insertion into Sent DataCWE-532Log File Information Exposure7 documents6 sources
Severity
4.9MEDIUMNVD
EPSS
0.4%
top 41.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache AirflowApache Airflow
Timeline
PublishedNov 8
Latest updateFeb 24

Description

Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previousl

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

NVDapache/airflow< 2.10.3

Patches

Patch: github.com

🔴Vulnerability Details

4
GHSA
Apache Airflow exposes sensitive information in its log files2026-02-24
GHSA
Apache Airflow vulnerable to Insertion of Sensitive Information Into Sent Data2024-11-08
CVEList
Apache Airflow: Secrets not masked in UI when sensitive variables are set via Airflow cli2024-11-08
OSV
Apache Airflow vulnerable to Insertion of Sensitive Information Into Sent Data2024-11-08

💬Community

1
HackerOne
Secrets not masked in UI when sensitive variables are set via Airflow cli2024-12-30
CVE-2024-50378 — MEDIUM severity | cvebase