Vulnerability Description
Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Airflow | < 2.10.3 |
Related Weaknesses (CWE)
References
- https://github.com/apache/airflow/pull/43123Issue TrackingPatch
- https://lists.apache.org/thread/17rxys384lzfd6nhm3fztzgvk47zy7jbMailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2024/11/08/5Mailing ListThird Party Advisory
FAQ
What is CVE-2024-50378?
CVE-2024-50378 is a vulnerability with a CVSS score of 4.9 (MEDIUM). Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were...
How severe is CVE-2024-50378?
CVE-2024-50378 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-50378?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Airflow.