CVE-2023-46215

EUVD-2023-2667

28.10.2023, 08:15

Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow.

Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend
Note: the vulnerability is about the information exposed in the logs not about accessing the logs.

This issue affects Apache Airflow Celery provider: from 3.3.0 through 3.4.0; Apache Airflow: from 1.10.0 through 2.6.3.

Users are recommended to upgrade Airflow Celery provider to version 3.4.1 and Apache Airlfow to version 2.7.0 which fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA-ADP	ADP	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 48%

Affected Products (NVD)

Vendor	Product	Version
apache	airflow	1.10.0 ≤ 𝑥 < 2.7.0
apache	airflow_celery_provider	3.3.0 ≤ 𝑥 ≤ 3.4.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-532 - Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References

http://www.openwall.com/lists/oss-security/2023/10/28/1

https://github.com/apache/airflow/pull/34954

https://lists.apache.org/thread/wm1jfmks7r6m7bj0mq4lmw3998svn46n

http://www.openwall.com/lists/oss-security/2023/10/28/1

https://github.com/apache/airflow/pull/34954

https://lists.apache.org/thread/wm1jfmks7r6m7bj0mq4lmw3998svn46n