BIT-airflow-2023-46215
Insertion of Sensitive Information into Log File vulnerability in apache-airflow-providers-celery (PyPI)
What is BIT-airflow-2023-46215 About?
This vulnerability involves the insertion of sensitive information into log files when using rediss, amqp, or rpc protocols as the Celery result backend in Apache Airflow. It exposes sensitive data in plain text within logs, impacting confidentiality. Exploitation is via accessing logs, which is often easier if an attacker has system or application level access.
Affected Software
- apache-airflow-providers-celery
- >=3.3.0, <3.4.1
- apache-airflow
- >=1.10.0, <2.7.0
Technical Details
The vulnerability occurs because when Apache Airflow's Celery provider is configured to use rediss, amqp, or rpc protocols for its result backend, sensitive information is written directly into log files in clear text. This means that details such as connection credentials, task results containing confidential data, or other sensitive operational information are stored unencrypted and unredacted in application logs. This is not about gaining access to the logs themselves, but the fact that already accessible logs contain sensitive data that should not be there.
What is the Impact of BIT-airflow-2023-46215?
Successful exploitation may allow attackers to gain access to sensitive information, including credentials or confidential data, by reading log files, leading to unauthorized data disclosure and potential deeper system compromise.
What is the Exploitability of BIT-airflow-2023-46215?
Exploitation requires an attacker to gain access to the system's log files. This usually implies initial access to the host machine or file system, or a separate vulnerability allowing log file access. No specific authentication to Airflow itself is needed to trigger the logging of sensitive data, as it's an inherent behavior of the vulnerable configuration. This is primarily a local access concern, or remote if an attacker can compromise a system with remote log access. The risk increases if log files are not properly secured with strict permissions or are accessible via insecure services.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-airflow-2023-46215?
Available Upgrade Options
- apache-airflow
- >=1.10.0, <2.7.0 → Upgrade to 2.7.0
- apache-airflow-providers-celery
- >=3.3.0, <3.4.1 → Upgrade to 3.4.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/airflow/pull/34954
- https://nvd.nist.gov/vuln/detail/CVE-2023-46215
- https://github.com/apache/airflow
- http://www.openwall.com/lists/oss-security/2023/10/28/1
- http://www.openwall.com/lists/oss-security/2023/10/28/1
- https://lists.apache.org/thread/wm1jfmks7r6m7bj0mq4lmw3998svn46n
- https://osv.dev/vulnerability/GHSA-666g-rfc5-c9jv
- https://lists.apache.org/thread/wm1jfmks7r6m7bj0mq4lmw3998svn46n
- https://github.com/apache/airflow/pull/34954
What are Similar Vulnerabilities to BIT-airflow-2023-46215?
Similar Vulnerabilities: CVE-2021-36777 , CVE-2020-13943 , CVE-2019-12389 , CVE-2018-11762 , CVE-2017-7667
