Debug Messages Revealing Unnecessary Information
CVE-2024-45784
Summary
Apache Airflow contains a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In the fixed version, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. This issue affects apache-airflow versions prior to 2.10.3rc1. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-1295 - Debug Messages Revealing Unnecessary Information
The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.
References
Advisory Timeline
- Published