CVE-2023-35005

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-35005

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-35005.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-35005

Aliases

Published

2023-06-19T09:15:09Z

Modified

2024-10-12T10:58:20.206412Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations.

This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if [webserver] expose_config is set to non-sensitive-only), and not all uncensored values are actually sentitive.

This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.

References

Affected packages

Git / github.com/apache/airflow

Affected ranges

Type: GIT
Repo: https://github.com/apache/airflow
Events: Introduced

d23881c6489916113921dcedf85077441b44aaf3

Fixed

6e5ae26382b328e88907e8301d4b2352ef8524c5

Affected versions

providers-amazon/8.*

providers-amazon/8.27.0

providers-amazon/8.27.0rc2

providers-apache-beam/5.*

providers-apache-beam/5.7.2

providers-apache-beam/5.7.2rc2

providers-apache-drill/2.*

providers-apache-drill/2.7.3

providers-apache-drill/2.7.3rc1

providers-apache-druid/3.*

providers-apache-druid/3.10.2

providers-apache-druid/3.10.2rc1

providers-apache-impala/1.*

providers-apache-impala/1.4.2

providers-apache-impala/1.4.2rc1

providers-apache-pinot/4.*

providers-apache-pinot/4.4.2

providers-apache-pinot/4.4.2rc1

providers-apprise/1.*

providers-apprise/1.3.2

providers-apprise/1.3.2rc1

providers-celery/3.*

providers-celery/3.7.3

providers-celery/3.7.3rc1

providers-cncf-kubernetes/8.*

providers-cncf-kubernetes/8.3.4

providers-cncf-kubernetes/8.3.4rc1

providers-common-compat/1.*

providers-common-compat/1.1.0

providers-common-compat/1.1.0rc1

providers-common-io/1.*

providers-common-io/1.4.0

providers-common-io/1.4.0rc1

providers-common-sql/1.*

providers-common-sql/1.15.0

providers-common-sql/1.15.0rc1

providers-databricks/6.*

providers-databricks/6.8.0

providers-databricks/6.8.0rc1

providers-docker/3.*

providers-docker/3.12.3

providers-docker/3.12.3rc1

providers-elasticsearch/5.*

providers-elasticsearch/5.4.2

providers-elasticsearch/5.4.2rc1

providers-exasol/4.*

providers-exasol/4.5.3

providers-exasol/4.5.3rc1

providers-ftp/3.*

providers-ftp/3.10.1

providers-ftp/3.10.1rc1

providers-google/10.*

providers-google/10.21.1

providers-google/10.21.1rc2

providers-jdbc/4.*

providers-jdbc/4.4.0

providers-jdbc/4.4.0rc1

providers-microsoft-azure/10.*

providers-microsoft-azure/10.3.0

providers-microsoft-azure/10.3.0rc1

providers-microsoft-mssql/3.*

providers-microsoft-mssql/3.8.0

providers-microsoft-mssql/3.8.0rc1

providers-mysql/5.*

providers-mysql/5.6.3

providers-mysql/5.6.3rc1

providers-odbc/4.*

providers-odbc/4.6.3

providers-odbc/4.6.3rc1

providers-openlineage/1.*

providers-openlineage/1.10.0

providers-openlineage/1.10.0rc1

providers-pgvector/1.*

providers-pgvector/1.2.2

providers-pgvector/1.2.2rc1

providers-postgres/5.*

providers-postgres/5.11.3

providers-postgres/5.11.3rc1

providers-qdrant/1.*

providers-qdrant/1.1.2

providers-qdrant/1.1.2rc1

providers-sftp/4.*

providers-sftp/4.10.3

providers-sftp/4.10.3rc1

providers-slack/8.*

providers-slack/8.8.0

providers-slack/8.8.0rc1

providers-snowflake/5.*

providers-snowflake/5.6.1

providers-snowflake/5.6.1rc1

providers-sqlite/3.*

providers-sqlite/3.8.2

providers-sqlite/3.8.2rc1

providers-ssh/3.*

providers-ssh/3.12.0

providers-ssh/3.12.0rc1

providers-teradata/2.*

providers-teradata/2.5.0

providers-teradata/2.5.0rc1

providers-ydb/1.*

providers-ydb/1.2.0

providers-ydb/1.2.0rc1