Description
Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Note: the vulnerability is about the information exposed in the logs not about accessing the logs. This issue affects Apache Airflow Celery provider: from 3.3.0 through 3.4.0; Apache Airflow: from 1.10.0 through 2.6.3. Users are recommended to upgrade Airflow Celery provider to version 3.4.1 and Apache Airlfow to version 2.7.0 which fixes the issue.
References (3)
Core 3
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/28/1
Patch patch
https://github.com/apache/airflow/pull/34954
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/wm1jfmks7r6m7bj0mq4lmw3998svn46n
Scores
CVSS v3
7.5
EPSS
0.0019
EPSS Percentile
41.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-532
Status
published
Products (4)
apache/airflow
1.10.0 - 2.7.0
apache/airflow_celery_provider
3.3.0 - 3.4.0
pypi/apache-airflow
1.10.0 - 2.7.0PyPI
pypi/apache-airflow-providers-celery
3.3.0 - 3.4.1PyPI
Published
Oct 28, 2023
Tracked Since
Feb 18, 2026