Secrets not masked in UI when sensitive variables are set via Airflow cli
Low
I
Internet Bug Bounty
Submitted None
Team Summary
Official summary from Internet Bug Bounty
When a sensitive variable is set using Airflow cli, it should be masked on every instance where it is referenced in the UI. However it has been observed that it is masked on the Variable List page and other pages but not the Audit logs page.
Actions:
Reported by
saurabhb
Vulnerability Details
Technical details and impact analysis
When a sensitive variable is set using Airflow cli, it should be masked on every instance where it is referenced in the UI. However it has been observed that it is masked on the Variable List page and other pages but not the Audit logs page.
Allocated CVE: CVE-2024-50378
Apache Airflow release notes that confirm about fixing the issue in latest release 2.10.3: https://airflow.apache.org/docs/apache-airflow/stable/release_notes.html#airflow-2-10-3-2024-11-04
Pull request that fix the issue: https://github.com/apache/airflow/pull/43123
Email communication between me (reporter) and the security team of Apache Airflow:
{F3741395}
## Impact
Sensitive information disclosed on UI without masking.
Related CVEs
Associated Common Vulnerabilities and Exposures
CVE-2024-50378
MEDIUM
Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the …
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Information Disclosure