6.5

CVE-2023-35005

EPSS 0.19%
Veröffentlicht 19.06.2023 09:15:09
Zuletzt bearbeitet 21.11.2024 08:07:48
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations.

This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored values are actually sentitive.


This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Airflow Version >= 2.5.0 < 2.6.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.19%	0.409

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/apache/airflow/pull/31788

Patch

https://github.com/apache/airflow/pull/31820

Issue Tracking

https://lists.apache.org/thread/o4f2cxh0054m9tlxpb81c1yhylor5gjd

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2023-35005

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-35005

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-35005

EUVD