<p>Upgrade <code>apache-airflow</code> to version 2.9.0 or higher.</p>

Information Exposure Affecting apache-airflow package, versions [2.7.0,2.9.0)

Snyk CVSS

Attack Complexity Low

Confidentiality High

Threat Intelligence

EPSS 0.04% (9^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PYTHON-APACHEAIRFLOW-6663323
published 19 Apr 2024
disclosed 18 Apr 2024
credit Manmeet Rangoola

Report a new vulnerability Found a mistake?

Introduced: 18 Apr 2024

New CVE-2024-31869 Open this link in a new tab CWE-200 Open this link in a new tab

How to fix?

Upgrade apache-airflow to version 2.9.0 or higher.

Overview

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Information Exposure via the configuration UI page. An attacker can see sensitive provider configuration by setting webserver.expose_config to non-sensitive-only, even though the celery provider is the only community provider currently that has sensitive configurations.

Note:

This is only exploitable if webserver.expose_config configuration is set to non-sensitive-only.

Workaround

This vulnerability can be mitigated by changing the expose_config configuration to False.