CVE-2023-35005

In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored values are actually sentitive. This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/apache/airflow/pull/31788	Patch
https://github.com/apache/airflow/pull/31820	Issue Tracking
https://lists.apache.org/thread/o4f2cxh0054m9tlxpb81c1yhylor5gjd	Mailing List Vendor Advisory
https://github.com/apache/airflow/pull/31788	Patch
https://github.com/apache/airflow/pull/31820	Issue Tracking
https://lists.apache.org/thread/o4f2cxh0054m9tlxpb81c1yhylor5gjd	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:07

Type	Values Removed	Values Added
References	~~() https://github.com/apache/airflow/pull/31788 - Patch~~	() https://github.com/apache/airflow/pull/31788 - Patch
References	~~() https://github.com/apache/airflow/pull/31820 - Issue Tracking~~	() https://github.com/apache/airflow/pull/31820 - Issue Tracking
References	~~() https://lists.apache.org/thread/o4f2cxh0054m9tlxpb81c1yhylor5gjd - Mailing List, Vendor Advisory~~	() https://lists.apache.org/thread/o4f2cxh0054m9tlxpb81c1yhylor5gjd - Mailing List, Vendor Advisory

Information

Published : 2023-06-19 09:15

Updated : 2024-11-21 08:07

NVD link : CVE-2023-35005

Mitre link : CVE-2023-35005

CVE.ORG link : CVE-2023-35005

JSON object : View

Products Affected

apache

airflow

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

{"id": "CVE-2023-35005", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-06-19T09:15:09.380", "references": [{"url": "https://github.com/apache/airflow/pull/31788", "tags": ["Patch"], "source": "security@apache.org"}, {"url": "https://github.com/apache/airflow/pull/31820", "tags": ["Issue Tracking"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/o4f2cxh0054m9tlxpb81c1yhylor5gjd", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://github.com/apache/airflow/pull/31788", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/apache/airflow/pull/31820", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread/o4f2cxh0054m9tlxpb81c1yhylor5gjd", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations.\n\nThis vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored values are actually sentitive.\n\n\nThis issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.\n\n\n"}], "lastModified": "2024-11-21T08:07:48.910", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A5E73654-0236-4B7F-AEDF-94A8F5812E88", "versionEndExcluding": "2.6.2", "versionStartIncluding": "2.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}