CVE-2023-35005 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2023-35005

CVE-2023-35005

June 19, 2023

In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored values are actually sentitive. This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.

Related Resources (8)

https://github.com/apache/airflow/commit/5679a01919ac9d5153e858f8b1390cbc7915f148

https://nvd.nist.gov/vuln/detail/CVE-2023-35005

https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-89.yaml

https://github.com/apache/airflow/pull/31820

https://github.com/apache/airflow/commit/f6cda8fb63250fc4700658999739c1c3c5f6625c

https://github.com/apache/airflow/pull/31788

https://lists.apache.org/thread/o4f2cxh0054m9tlxpb81c1yhylor5gjd

https://github.com/apache/airflow

Do you need more information?

CVSS v4

Base Score:

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

NONE

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

EPSS

Base Score:

0.21

Products

Solutions

Resources

Company

Compare

Developer Tools