High severityNVD Advisory· Published Jun 19, 2023· Updated Oct 9, 2024
Apache Airflow: Information disclosure on configuration view
CVE-2023-35005
Description
In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations.
This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if [webserver] expose_config is set to non-sensitive-only), and not all uncensored values are actually sentitive.
This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflowPyPI | >= 2.5.0, < 2.6.2rc1 | 2.6.2rc1 |
Affected products
3- osv-coords2 versions
>= 2.5.0, < 2.6.2+ 1 more
- (no CPE)range: >= 2.5.0, < 2.6.2
- (no CPE)range: >= 2.5.0, < 2.6.2rc1
Patches
Vulnerability mechanics
References
8- github.com/apache/airflow/pull/31788ghsapatchWEB
- github.com/apache/airflow/pull/31820ghsapatchWEB
- github.com/advisories/GHSA-mjff-wv85-hmcjghsaADVISORY
- lists.apache.org/thread/o4f2cxh0054m9tlxpb81c1yhylor5gjdghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-35005ghsaADVISORY
- github.com/apache/airflow/commit/5679a01919ac9d5153e858f8b1390cbc7915f148ghsaWEB
- github.com/apache/airflow/commit/f6cda8fb63250fc4700658999739c1c3c5f6625cghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-89.yamlghsaWEB
News mentions
0No linked articles in our index yet.