CVE-2023-25695: Sensitive Information in Error Messages in Apache Airflow

March 15, 2023 (updated September 11, 2024)

Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. The traceback contains information that might be useful for a potential attacker to better target their attack (Python/Airflow version, node name). This information should not be shown if traceback is shown to unauthenticated user.

References

github.com/advisories/GHSA-h6g5-wqqr-3mw3
github.com/apache/airflow
github.com/apache/airflow/commit/965e76d9ed00ef354a834739ac46f24068630951
github.com/apache/airflow/pull/29501
github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-2.yaml
lists.apache.org/thread/z8w6ckzs61ql365tv4d19k82o67r15p2
nvd.nist.gov/vuln/detail/CVE-2023-25695

Detect and mitigate CVE-2023-25695 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →