First published: Fri Oct 13 2023(Updated: )
Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when the "expose_config" option is set to "non-sensitive-only". The `expose_config` option is False by default. It is recommended to upgrade to a version that is not affected.
Credit: security@apache.org security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Airflow | >=2.7.0<2.7.2 | |
pip/apache-airflow | >=2.7.0<2.7.2 | 2.7.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-45348 is a vulnerability in Apache Airflow that allows an authenticated user to retrieve sensitive configuration information.
Versions 2.7.0 and 2.7.1 of Apache Airflow are affected by CVE-2023-45348.
An authenticated user can exploit CVE-2023-45348 by setting the `expose_config` option to `non-sensitive-only` and retrieving sensitive configuration information.
The `expose_config` option is `False` by default in Apache Airflow.
To fix CVE-2023-45348, it is recommended to upgrade Apache Airflow to version 2.7.2.