CVE-2024-50378

MEDIUM EPSS 64.3%
Published Nov 8, 20241y ago · Modified Jun 17, 20261w ago
4.9 CVSS 3.1
Medium
Find Similar
Published Nov 8, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table.

CVSS Details

Base Score
4.9
Exploitability
1.2
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
64.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-201

Affected Products 1

VendorProductVersionRange
apacheairflow* <2.10.3

References 3

  • openwall.com http://www.openwall.com/lists/oss-security/2024/11/08/5
    Mailing ListThird Party Advisory
  • github.com https://github.com/apache/airflow/pull/43123
    Issue TrackingPatch
  • lists.apache.org https://lists.apache.org/thread/17rxys384lzfd6nhm3fztzgvk47zy7jb
    Mailing ListVendor Advisory

Remediation

  • github.com https://github.com/apache/airflow/pull/43123
    Issue TrackingPatch