Vulnerability Description
Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "configuration" UI page when "non-sensitive-only" was set as "webserver.expose_config" configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your "expose_config" configuration to False as a workaround. This is similar, but different to CVE-2023-46288 https://github.com/advisories/GHSA-9qqg-mh7c-chfq which concerned API, not UI configuration page.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Airflow | >= 2.7.0, < 2.9.0 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2024/04/17/10Mailing List
- https://github.com/apache/airflow/pull/38795Issue TrackingPatch
- https://lists.apache.org/thread/pz6vg7wcjk901rmsgt86h76g6kfcgtk3Mailing List
- http://www.openwall.com/lists/oss-security/2024/04/17/10Mailing List
- https://github.com/apache/airflow/pull/38795Issue TrackingPatch
- https://lists.apache.org/thread/pz6vg7wcjk901rmsgt86h76g6kfcgtk3Mailing List
FAQ
What is CVE-2024-31869?
CVE-2024-31869 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "configuration" UI page when "non-sensitive-only" was set as...
How severe is CVE-2024-31869?
CVE-2024-31869 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-31869?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Airflow.