cve-2024-45784
Vulnerability from cvelistv5
Published
2024-11-15 08:20
Modified
2024-11-15 19:42
Severity ?
Summary
Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.
References
security@apache.orghttps://github.com/apache/airflow/pull/43040
security@apache.orghttps://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2024/11/15/1
Impacted products
Vendor Product Version
Apache Software Foundation Apache Airflow Version: 0   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-11-15T09:03:20.784Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  url: "http://www.openwall.com/lists/oss-security/2024/11/15/1",
               },
            ],
            title: "CVE Program Container",
         },
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "airflow",
                  vendor: "apache",
                  versions: [
                     {
                        lessThan: "2.10.3",
                        status: "affected",
                        version: "0",
                        versionType: "custom",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  cvssV3_1: {
                     attackComplexity: "LOW",
                     attackVector: "NETWORK",
                     availabilityImpact: "NONE",
                     baseScore: 7.5,
                     baseSeverity: "HIGH",
                     confidentialityImpact: "HIGH",
                     integrityImpact: "NONE",
                     privilegesRequired: "NONE",
                     scope: "UNCHANGED",
                     userInteraction: "NONE",
                     vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                     version: "3.1",
                  },
               },
               {
                  other: {
                     content: {
                        id: "CVE-2024-45784",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-11-15T19:41:31.453895Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-11-15T19:42:27.561Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               collectionURL: "https://pypi.python.org",
               defaultStatus: "unaffected",
               packageName: "apache-airflow",
               product: "Apache Airflow",
               vendor: "Apache Software Foundation",
               versions: [
                  {
                     lessThan: "2.10.3",
                     status: "affected",
                     version: "0",
                     versionType: "semver",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "finder",
               value: "Saurabh Banawar",
            },
            {
               lang: "en",
               type: "remediation developer",
               value: "Amogh Desai",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.",
                  },
               ],
               value: "Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     text: "moderate",
                  },
                  type: "Textual description of severity",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-1295",
                     description: "CWE-1295: Debug Messages Revealing Unnecessary Information",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-11-15T08:20:05.581Z",
            orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            shortName: "apache",
         },
         references: [
            {
               tags: [
                  "patch",
               ],
               url: "https://github.com/apache/airflow/pull/43040",
            },
            {
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Apache Airflow: Sensitive configuration values are not masked in the logs by default",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
      assignerShortName: "apache",
      cveId: "CVE-2024-45784",
      datePublished: "2024-11-15T08:20:05.581Z",
      dateReserved: "2024-09-08T12:59:15.112Z",
      dateUpdated: "2024-11-15T19:42:27.561Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2024-45784\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2024-11-15T09:15:14.897\",\"lastModified\":\"2024-11-21T09:38:05.210\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.\"},{\"lang\":\"es\",\"value\":\"Las versiones de Apache Airflow anteriores a la 2.10.3 contienen una vulnerabilidad que podría exponer variables de configuración confidenciales en los registros de tareas. Esta vulnerabilidad permite a los autores de DAG registrar variables de configuración confidenciales de forma intencional o no intencionada. Los usuarios no autorizados podrían acceder a estos registros, lo que podría exponer datos críticos que podrían explotarse para comprometer la seguridad de la implementación de Airflow. En la versión 2.10.3, los secretos ahora están enmascarados en los registros de tareas para evitar que las variables de configuración confidenciales se expongan en la salida del registro. Los usuarios deben actualizar a Airflow 2.10.3 o la versión más reciente para eliminar esta vulnerabilidad. Si sospecha que los autores de DAG podrían haber registrado los valores secretos en los registros y que sus registros no están protegidos adicionalmente, también se recomienda que actualice esos secretos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1295\"}]}],\"references\":[{\"url\":\"https://github.com/apache/airflow/pull/43040\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h\",\"source\":\"security@apache.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/11/15/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2024/11/15/1\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-11-15T09:03:20.784Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45784\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-15T19:41:31.453895Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*\"], \"vendor\": \"apache\", \"product\": \"airflow\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.10.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-15T19:41:25.512Z\"}}], \"cna\": {\"title\": \"Apache Airflow: Sensitive configuration values are not masked in the logs by default\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Saurabh Banawar\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Amogh Desai\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Airflow\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.10.3\", \"versionType\": \"semver\"}], \"packageName\": \"apache-airflow\", \"collectionURL\": \"https://pypi.python.org\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/apache/airflow/pull/43040\", \"tags\": [\"patch\"]}, {\"url\": \"https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability.\\u00a0If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1295\", \"description\": \"CWE-1295: Debug Messages Revealing Unnecessary Information\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2024-11-15T08:20:05.581Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-45784\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-15T19:42:27.561Z\", \"dateReserved\": \"2024-09-08T12:59:15.112Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2024-11-15T08:20:05.581Z\", \"assignerShortName\": \"apache\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.