6.5

CVE-2023-40712

EPSS 0.14%
Published 12.09.2023 12:15:08
Last modified 21.11.2024 08:20:00
Source security@apache.org
Teams watchlist Login
Open Login

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI.

Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.

Affected products Warnungen 0 Metrics 2 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Airflow Version < 2.7.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.14%	0.342

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/apache/airflow/pull/33512

Vendor Advisory

https://github.com/apache/airflow/pull/33516

Vendor Advisory

https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2023-40712

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-40712

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-40712

EUVD