CVE-2023-40712

CVE-2023-40712: Apache Airflow: Secrets can be unmasked in the "Rendered Template"

Vendor Apache Software Foundation

Product Apache Airflow

Weakness CWE-200 · Info exposure

Published September 12, 2023

Last update September 25, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.

Key dates

Disclosure timeline

September 12, 2023 CVE published

September 25, 2024 Record updated