CVE-2023-35005 in Airflow
Summary
by MITRE • 06/19/2023
In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations. This vulnerability is mitigated by the fact configuration is not shown in the UI by default (only if `[webserver] expose_config` is set to `non-sensitive-only`), and not all uncensored values are actually sentitive. This issue affects Apache Airflow: from 2.5.0 before 2.6.2. Users are recommended to update to version 2.6.2 or later.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/14/2023
Apache Airflow version 2.5.0 through 2.6.1 contains a vulnerability that exposes potentially sensitive configuration values to users through the web interface. This issue stems from inadequate sanitization of configuration data within the user-facing components of the platform. The vulnerability is categorized under CWE-200, which deals with exposure of sensitive information to an unauthorized actor, and aligns with ATT&CK technique T1528 for bypassing system and application security measures to access sensitive data.
The technical flaw occurs when the webserver component displays configuration values to users, particularly when the `[webserver] expose_config` setting is configured to `non-sensitive-only`. While the default configuration properly restricts exposure of sensitive data, certain edge cases and specific configurations can lead to unintended disclosure of information that should remain protected. This vulnerability represents a privilege escalation risk where users with access to the Airflow web interface can potentially gain insights into system configurations that could aid in further attacks.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with additional reconnaissance capabilities. When sensitive configuration values are exposed, they may reveal database connection strings, API keys, secret tokens, or other credentials that could be leveraged for lateral movement within the system. The vulnerability affects the webserver component specifically, making it accessible to any user with web interface access, which could include both legitimate users and potential attackers who have gained access through other means.
Security mitigations for this vulnerability include immediate upgrade to Apache Airflow version 2.6.2 or later, which contains the necessary patches to prevent unauthorized exposure of configuration values. Organizations should also review their current `[webserver] expose_config` settings and ensure they are properly configured to limit information disclosure. The fix addresses the root cause by implementing proper sanitization of configuration values before display, ensuring that only non-sensitive information is exposed to users. Additionally, security teams should monitor for any unauthorized access to the Airflow web interface and implement network segmentation to limit exposure of the platform to only authorized users and systems.