CVE-2023-51702: Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service

CVE-2023-51702: Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service

Open Source Security 

Posted by Ephraim Anierobi on Jan 24

Severity: moderate

Affected versions:

– Apache Airflow CNCF Kubernetes provider 5.2.0 before 7.0.0
– Apache Airflow 2.3.0 before 2.6.1

Description:

Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication,
the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in
metadata without any encryption. Additionally, if used with an…
 Read More 

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert