CVE-2023-35005
MEDIUMApache Airflow 2.5.0-2.6.1 - Exposure of Sensitive Information via Configuration UI
Title source: llmDescription
In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored values are actually sentitive. This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.
References (3)
Core 3
Core References
Patch patch
https://github.com/apache/airflow/pull/31788
Issue Tracking patch
https://github.com/apache/airflow/pull/31820
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/o4f2cxh0054m9tlxpb81c1yhylor5gjd
Scores
CVSS v3
6.5
EPSS
0.0023
EPSS Percentile
45.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
apache/airflow
2.5.0 - 2.6.2
pypi/apache-airflow
2.5.0 - 2.6.2rc1PyPI
Published
Jun 19, 2023
Tracked Since
Feb 18, 2026