CVE-2023-46215

28.10.2023, 08:15

Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow.

Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend
Note: thevulnerability is about the information exposed in the logs not about accessing the logs.

This issue affects Apache Airflow Celery provider: from 3.3.0 through 3.4.0; Apache Airflow: from 1.10.0 through 2.6.3.

Users are recommended to upgrade Airflow Celery provider to version 3.4.1and Apache Airlfow to version 2.7.0 which fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
apache	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 35%

Vendor	Product	Version
apache	airflow	1.10.0 ≤ 𝑥 < 2.7.0
apache	airflow_celery_provider	3.3.0 ≤ 𝑥 ≤ 3.4.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-532 - Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References

http://www.openwall.com/lists/oss-security/2023/10/28/1

https://github.com/apache/airflow/pull/34954

https://lists.apache.org/thread/wm1jfmks7r6m7bj0mq4lmw3998svn46n

http://www.openwall.com/lists/oss-security/2023/10/28/1

https://github.com/apache/airflow/pull/34954

https://lists.apache.org/thread/wm1jfmks7r6m7bj0mq4lmw3998svn46n