// For flags

CVE-2024-31869

Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "configuration" UI page when "non-sensitive-only" was set as "webserver.expose_config" configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your "expose_config" configuration to False as a workaround. This is similar, but different to CVE-2023-46288 https://github.com/advisories/GHSA-9qqg-mh7c-chfq which concerned API, not UI configuration page.

Las versiones 2.7.0 a 2.8.4 de Airflow tienen una vulnerabilidad que permite a un usuario autenticado ver la configuración confidencial del proveedor a través de la página de interfaz de usuario "configuración" cuando se configuró "solo no confidencial" como configuración "webserver.expose_config" (el proveedor de apio es el único proveedor comunitario actualmente que tiene configuraciones confidenciales). Deberías migrar a Airflow 2.9 o cambiar tu configuración "expose_config" a False como workaround. Esto es similar, pero diferente a CVE-2023-46288 https://github.com/advisories/GHSA-9qqg-mh7c-chfq, que se refería a la API, no a la página de configuración de la UI.

Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "configuration" UI page when "non-sensitive-only" was set as "webserver.expose_config" configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your "expose_config" configuration to False as a workaround. This is similar, but different to CVE-2023-46288 https://github.com/advisories/GHSA-9qqg-mh7c-chfq which concerned API, not UI configuration page.

*Credits: Manmeet Rangoola, Jarek Potiuk
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-04-06 CVE Reserved
  • 2024-04-18 CVE Published
  • 2025-03-13 CVE Updated
  • 2025-05-27 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache Software Foundation
Search vendor "Apache Software Foundation"
 Apache Airflow
Search vendor "Apache Software Foundation" for product "Apache Airflow"
 >= 2.7.0 <= 2.8.4
Search vendor "Apache Software Foundation" for product "Apache Airflow" and version " >= 2.7.0 <= 2.8.4"
en
Affected