CVE-2023-46288: Apache Airflow: Sensitive parameters exposed in API when „non-sensitive-only“ configuration is set
Open Source Security
Posted by Jarek Potiuk on Oct 23
– Apache Airflow 2.4.0 before 2.7.0
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache
Airflow from 2.4.0 to 2.7.0.
Sensitive configuration information has been exposed to authenticated users with the ability to read configuration via
Airflow REST API for configuration even when the expose_config option is set to…