CVE-2023-45348: Apache Airflow: Configuration information leakage vulnerability
First published: Fri Oct 13 2023(Updated: )
Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when the "expose_config" option is set to "non-sensitive-only". The `expose_config` option is False by default. It is recommended to upgrade to a version that is not affected.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Airflow | >=2.7.0<2.7.2 | |
| pip/apache-airflow | >=2.7.0<2.7.2 | 2.7.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/apache/airflow/pull/34712
- https://lists.apache.org/thread/sy4l5d6tn58hr8r61r2fkt1f0qock9z9
- http://www.openwall.com/lists/oss-security/2023/10/23/2
- https://nvd.nist.gov/vuln/detail/CVE-2023-45348
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-204.yaml
- https://github.com/advisories/GHSA-fpxx-xv4c-gxqp (Advisory)
- https://github.com/apache/airflow/commit/a4a0b5dd3d0ce05311c70bb9a32b66a650dbc0b4
Frequently Asked Questions
What is CVE-2023-45348?
CVE-2023-45348 is a vulnerability in Apache Airflow that allows an authenticated user to retrieve sensitive configuration information.
What versions of Apache Airflow are affected by CVE-2023-45348?
Versions 2.7.0 and 2.7.1 of Apache Airflow are affected by CVE-2023-45348.
How can an authenticated user exploit CVE-2023-45348?
An authenticated user can exploit CVE-2023-45348 by setting the `expose_config` option to `non-sensitive-only` and retrieving sensitive configuration information.
What is the default value of the `expose_config` option in Apache Airflow?
The `expose_config` option is `False` by default in Apache Airflow.
How can I fix CVE-2023-45348 in Apache Airflow?
To fix CVE-2023-45348, it is recommended to upgrade Apache Airflow to version 2.7.2.
- collector/oss-sec
- alias/CVE-2023-45348
- collector/nvd-index
- collector/mitre-cve
- collector/nvd-api
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-fpxx-xv4c-gxqp
- agent/software-canonical-lookup
- agent/remedy
- agent/title
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/author
- agent/event
- agent/description
- collector/nvd-cve
- source/NVD
- agent/tags
- collector/github-advisory
- vendor/apache
- canonical/apache airflow
- version/apache airflow/2.7.0
- package-manager/pip