CVE-2023-46215

2023-10-2808:15:07

CWE-532

[email protected]

web.nvd.nist.gov

cve-2023-46215

sensitive information

log file

apache airflow

celery provider

rediss

amqp

rpc

protocols

upgrade

security issue

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.005

Percentile

77.5%

JSON

Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow.

Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend
Note: the vulnerability is about the information exposed in the logs not about accessing the logs.

This issue affects Apache Airflow Celery provider: from 3.3.0 through 3.4.0; Apache Airflow: from 1.10.0 through 2.6.3.

Users are recommended to upgrade Airflow Celery provider to version 3.4.1 and Apache Airlfow to version 2.7.0 which fixes the issue.

Affected configurations

Nvd

Node

apacheairflowRange1.10.0–2.7.0

apacheairflow_celery_providerRange3.3.0–3.4.0

VendorProductVersionCPE
apacheairflow*cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
apacheairflow_celery_provider*cpe:2.3:a:apache:airflow_celery_provider:*:*:*:*:*:*:*:*