6.5

CVE-2023-40712

EPSS 0.14%
Veröffentlicht 12.09.2023 12:15:08
Zuletzt bearbeitet 21.11.2024 08:20:00
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI.

Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Airflow Version < 2.7.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.14%	0.342

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/apache/airflow/pull/33512

Vendor Advisory

https://github.com/apache/airflow/pull/33516

Vendor Advisory

https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2023-40712

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-40712

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-40712

EUVD