GHSA-cvcq-gmc3-q6m8

Source

https://github.com/advisories/GHSA-cvcq-gmc3-q6m8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/12/GHSA-cvcq-gmc3-q6m8/GHSA-cvcq-gmc3-q6m8.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-cvcq-gmc3-q6m8

Aliases

Published

2020-12-17T21:00:56Z

Modified

2024-09-11T18:21:56.633207Z

Severity

2.8 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
2.4 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Apache Airflow logs passwords in plaintext

Details

In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. The same happenes when creating a Connection with a password field.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-312"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2020-12-17T20:15:10Z"
}

References

Affected packages

PyPI / apache-airflow

Package

Name: apache-airflow; View open source insights on deps.dev
Purl: pkg:pypi/apache-airflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.10.13

Affected versions

1.*

1.8.1

1.8.2rc1

1.8.2

1.9.0

1.10.0

1.10.1b1

1.10.1rc2

1.10.1

1.10.2b2

1.10.2rc1

1.10.2rc2

1.10.2rc3

1.10.2

1.10.3b1

1.10.3b2

1.10.3rc1

1.10.3rc2

1.10.3

1.10.4b2

1.10.4rc1

1.10.4rc2

1.10.4rc3

1.10.4rc4

1.10.4rc5

1.10.4

1.10.5rc1

1.10.5

1.10.6rc1

1.10.6rc2

1.10.6

1.10.7rc1

1.10.7rc2

1.10.7rc3

1.10.7

1.10.8rc1

1.10.8

1.10.9rc1

1.10.9

1.10.10rc1

1.10.10rc2

1.10.10rc3

1.10.10rc4

1.10.10rc5

1.10.10

1.10.11rc1

1.10.11rc2

1.10.11

1.10.12rc1

1.10.12rc2

1.10.12rc3

1.10.12rc4

1.10.12

1.10.13rc1