Skip to main content

Insertion of Sensitive Information Into Sent Data

CVE-2024-50378

Severity Medium
Score 4.9/10

Summary

Airflow has a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs that they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to a fixed version, which addresses this issue. This issue affects apache-airflow versions prior to 2.10.3rc1. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • HIGH
  • HIGH
  • NONE

CWE-201 - Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Advisory Timeline

  • Published