Vulnerability Description
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Airflow | < 2.7.1 |
Related Weaknesses (CWE)
References
- https://github.com/apache/airflow/pull/33512Vendor Advisory
- https://github.com/apache/airflow/pull/33516Vendor Advisory
- https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2btsMailing ListVendor Advisory
- https://github.com/apache/airflow/pull/33512Vendor Advisory
- https://github.com/apache/airflow/pull/33516Vendor Advisory
- https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2btsMailing ListVendor Advisory
FAQ
What is CVE-2023-40712?
CVE-2023-40712 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the s...
How severe is CVE-2023-40712?
CVE-2023-40712 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-40712?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Airflow.