CVE-2022-27949
HIGHApache Airflow < 2.3.1 - Unauthenticated Exposure of Sensitive Information in Task Template Rendering
Title source: llmDescription
A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1.
References (3)
Core 3
Core References
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2022/11/14/3
Patch, Third Party Advisory
https://github.com/apache/airflow/pull/22754
Mailing List, Vendor Advisory
https://lists.apache.org/thread/n38oc5obb48600fsvnbopxcs0jpbp65p
Scores
CVSS v3
7.5
EPSS
0.0164
EPSS Percentile
82.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
apache/airflow
< 2.3.1
pypi/apache-airflow
0 - 2.3.1PyPI
Published
Nov 14, 2022
Tracked Since
Feb 18, 2026