Apache Airflow 2.4.02.7.0 Config API Info Leak via expose_config
CVE-2023-46288 Published on October 23, 2023
Apache Airflow: Sensitive parameters exposed in API when "non-sensitive-only" configuration is set
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0.
Sensitive configuration information has been exposed to authenticated users with the ability to read configuration via Airflow REST API for configuration even when the expose_config option is set to non-sensitive-only. The expose_config option is False by default. It is recommended to upgrade to a version that is not affected if you set expose_config to non-sensitive-only configuration. This is a different error than CVE-2023-45348 which allows authenticated user to retrieve individual configuration values in 2.7.* by specially crafting their request (solved in 2.7.2).
Users are recommended to upgrade to version 2.7.2, which fixes the issue and additionally fixes CVE-2023-45348.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2023-46288 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2023-46288
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-46288 are published in Apache AirFlow:
Affected Versions
Apache Software Foundation Apache Airflow:- Version 2.4.0 and below 2.7.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.