Received: by 2002:a05:6500:1b45:b0:1f5:f2ab:c469 with SMTP id cz5csp929871lqb;
        Wed, 17 Apr 2024 15:28:56 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCXk3qWgsyYKOa/h+FnLYWI+1AAkZvfH4oV8IMAYQ+OraIxEp0ChVBStxL4fvlsTEREjL/R6qupG2sPu7+qo+p7H9WoUv9bVTT5XsWcSEA==
X-Google-Smtp-Source: AGHT+IGEiyPLE41imA+PsKyU0fjo3sXboHM9l+XTq5IGYMtBS5I87ydxQn/FoInT+U9w77+Wclwv
X-Received: by 2002:a05:620a:1186:b0:78a:5bfa:3619 with SMTP id b6-20020a05620a118600b0078a5bfa3619mr912798qkk.17.1713392936426;
        Wed, 17 Apr 2024 15:28:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713392936; cv=none;
        d=google.com; s=arc-20160816;
        b=arIJ/CFyKhPdtfx7bmX4dZCZJmxW57TEENaVdjxRi4kxRG37rRhFcKcnZFoOLgnSE8
         IVRPhmlFaatva4c9E49VsC/DokZcFhfYNcbOMNZolO4Mf/1GFHTPvIG4BTLPzwzfIe4o
         Sd65HWz7/RJMB7XTqtVhmhhQbGfHB05LH0D0hEV2QC7uHvWDyWMomKIsVqW2WjkdnURk
         rBaeHU+gv2hupAh+3Ds82nyBw+NbEJhK/sPRq//KY/dChCjwJCdCBInCH/UzTXRBd+C7
         wLkpRGX9R9nqYByvVFzLfsKn6VZnstK3t966xBEVZv+g9ajMjK93i65curNptSv8Bl2z
         8zag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:mime-version:date:content-transfer-encoding:message-id:to
         :from:delivered-to:delivered-to:reply-to:list-id:list-subscribe
         :list-unsubscribe:list-help:list-post:precedence:mailing-list;
        bh=KYPgMJK0/WyYHKanVitjbQ0KqEGCHyMJKQD+VmKXwl8=;
        fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=;
        b=fYrUIDOZajeT1r2fyXBgTlNxs5kIKZLVce9xRKRj8F6vczhAI5pdGo54iNAAvjC9tY
         tCwAnOI7jHZhWAjoyx6KkIztb07iuHnnWUHbDXdy3N7PmQRSVX4gsSex2CqmJXRzysMZ
         S9hFReKu4ah14ND2mpelX9XK9eC2hoWsG2Sw5wH41URym5nb284ypHA0goxckjEKnaU/
         wRmB+0clS6V1q2Yu/CfuCrFFRaTdRqgKcJ4tl9SX/MhV9kIo6JDizFWKxkKO8hKWMpa2
         z7eIV5gW7n05/jTl8VQKqJnvCYrvw7MMlmE09ERd8kaCqGLvBtYrmoXaHm+0BRx5ojCm
         D/uQ==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30047-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30047-linux.lists.archive=gmail.com@lists.openwall.com"
Return-Path: <oss-security-return-30047-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id or9-20020a05620a618900b0078d762f1e71si175930qkn.576.2024.04.17.15.28.55
        for <linux.lists.archive@gmail.com>;
        Wed, 17 Apr 2024 15:28:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30047-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30047-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30047-linux.lists.archive=gmail.com@lists.openwall.com"
Received: (qmail 19624 invoked by uid 550); 17 Apr 2024 22:28:33 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 5378 invoked from network); 17 Apr 2024 22:24:04 -0000
Authentication-Results: apache.org; auth=none
Content-Type: text/plain; charset=utf-8
From: Ephraim Anierobi <ephraimanierobi@apache.org>
To: oss-security@lists.openwall.com
Message-ID: <747a6b7c-6cd3-a027-d0db-7235caa2ea11@apache.org>
Content-Transfer-Encoding: quoted-printable
Date: Wed, 17 Apr 2024 22:19:39 +0000
MIME-Version: 1.0
Subject: [oss-security] =?UTF-8?Q?CVE-2024-31869=3A_Apache_Airflow=3A_Sens?=
 =?UTF-8?Q?itive_configuration_for_providers_displa?=
 =?UTF-8?Q?yed_when_=22non-sensitive-only=22_config?= =?UTF-8?Q?_used=20?=

Severity: low

Affected versions:

- Apache Airflow 2.7.0 through 2.8.4

Description:

Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an =
authenticated user to see sensitive provider configuration via the =
"configuration" UI page=C2=A0when "non-sensitive-only" was set as =
"webserver.expose_config" configuration (The celery provider is the only =
community provider currently that has sensitive configurations). You should=
 migrate to Airflow 2.9 or change your "expose_config" configuration to =
False as a workaround. This is similar, but different to  CVE-2023-46288 =
https://github.com/advisories/GHSA-9qqg-mh7c-chfq  which concerned API, not=
 UI configuration page.

Credit:

Manmeet Rangoola (finder)
Jarek Potiuk (remediation developer)

References:

https://github.com/apache/airflow/pull/38795
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=3DCVE-2024-31869