CVE-2023-46215 Apache Airflow Celery provider, Apache Airflow: Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend

2023-10-2807:10:57

CWE-532

apache

www.cve.org

apache airflow

celery provider

sensitive information

clear text

rediss

amqp

rpc protocols

vulnerability

log file

upgrade

cve-2023-46215

0.005 Low

EPSS

Percentile

77.6%

JSON

Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow.

Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend
Note: the vulnerability is about the information exposed in the logs not about accessing the logs.

This issue affects Apache Airflow Celery provider: from 3.3.0 through 3.4.0; Apache Airflow: from 1.10.0 through 2.6.3.

Users are recommended to upgrade Airflow Celery provider to version 3.4.1 and Apache Airlfow to version 2.7.0 which fixes the issue.

CNA Affected

[
  {
    "collectionURL": "https://pypi.python.org",
    "defaultStatus": "unaffected",
    "packageName": "apache-airflow-providers-celery",
    "product": "Apache Airflow Celery provider",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "3.4.0",
        "status": "affected",
        "version": "3.3.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "collectionURL": "https://pypi.python.org",
    "defaultStatus": "unaffected",
    "packageName": "apache-airflow",
    "product": "Apache Airflow",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "2.7.0",
        "status": "affected",
        "version": "1.10.0",
        "versionType": "semver"
      }
    ]
  }
]