What is the vulnerability ID?

The vulnerability ID is CVE-2023-46215.

What is the severity of CVE-2023-46215?

The severity of CVE-2023-46215 is high with a severity value of 7.5.

What software is affected by CVE-2023-46215?

Apache Airflow and Apache Airflow Celery provider are affected by CVE-2023-46215.

What is the impact of CVE-2023-46215?

Sensitive information is logged as clear text when certain protocols are used as Celery result backend.

Are there any fixes or patches available for CVE-2023-46215?

Yes, please refer to the references for the fix and patch information.

Vulnerability/
CVE-2023-46215

high

7.5

CWE

532

28/10/2023

21/11/2024

CVE-2023-46215: Apache Airflow Celery provider, Apache Airflow: Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend

First published: Sat Oct 28 2023(Updated: )

Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Note: the vulnerability is about the information exposed in the logs not about accessing the logs. This issue affects Apache Airflow Celery provider: from 3.3.0 through 3.4.0; Apache Airflow: from 1.10.0 through 2.6.3. Users are recommended to upgrade Airflow Celery provider to version 3.4.1 and Apache Airlfow to version 2.7.0 which fixes the issue.

Credit: security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
pip/apache-airflow	>=1.10.0<2.7.0	2.7.0
pip/apache-airflow-providers-celery	>=3.3.0<3.4.1	3.4.1
Apache Airflow	>=1.10.0<2.7.0
Apache Airflow Celery provider	>=3.3.0<=3.4.0
	>=1.10.0<2.7.0
	>=3.3.0<=3.4.0

Remedy

https://github.com/apache/airflow/pull/34954

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID?
The vulnerability ID is CVE-2023-46215.
What is the severity of CVE-2023-46215?
The severity of CVE-2023-46215 is high with a severity value of 7.5.
What software is affected by CVE-2023-46215?
Apache Airflow and Apache Airflow Celery provider are affected by CVE-2023-46215.
What is the impact of CVE-2023-46215?
Sensitive information is logged as clear text when certain protocols are used as Celery result backend.
Are there any fixes or patches available for CVE-2023-46215?
Yes, please refer to the references for the fix and patch information.

collector/oss-sec
alias/CVE-2023-46215
collector/github-advisory-latest
alias/GHSA-666g-rfc5-c9jv
collector/nvd-cve
collector/github-advisory
agent/author
agent/type
agent/first-publish-date
agent/references
agent/severity
agent/title
agent/remedy
agent/weakness
agent/description
collector/mitre-cve
source/MITRE
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/last-modified-date
agent/softwarecombine
agent/event
agent/tags
agent/trending
package-manager/pip
vendor/apache
canonical/apache airflow
version/apache airflow/1.10.0
canonical/apache airflow celery provider
version/apache airflow celery provider/3.3.0
version/apache airflow celery provider/3.4.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.