First published: Tue Sep 12 2023(Updated: )
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.
Credit: security@apache.org security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Airflow | <2.7.1 | |
pip/apache-airflow | >=0<2.7.1 | 2.7.1 |
<2.7.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-40712 is a vulnerability in Apache Airflow that allows authenticated users to unmask secret configuration in the UI.
Versions before 2.7.1 of Apache Airflow are affected by CVE-2023-40712.
An authenticated user who has access to see the task/dag in the UI can craft a URL to unmask the secret configuration.
CVE-2023-40712 has a severity rating of 6.5 (medium).
To fix CVE-2023-40712, upgrade to Apache Airflow version 2.7.1 or higher.