CVE-2020-17511: Apache Airflow logs passwords in plaintext
(updated )
In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. The same happenes when creating a Connection with a password field.
References
- github.com/advisories/GHSA-cvcq-gmc3-q6m8
- github.com/apache/airflow
- github.com/apache/airflow/commit/4e32546faf227a6497ce8b282fff7450cae6f665
- github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-262.yaml
- lists.apache.org/thread.html/ree782a29d927b96bf0b39fb92e2f1f09ea3112a985f7a08ce93765ac%40%3Cusers.airflow.apache.org%3E
- nvd.nist.gov/vuln/detail/CVE-2020-17511
Detect and mitigate CVE-2020-17511 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →