CVE-2022-46651
Sensitive Information Disclosure vulnerability in apache-airflow (PyPI)
What is CVE-2022-46651 About?
This vulnerability allows for sensitive information disclosure within Apache Airflow's Connection edit view. An unauthorized actor can gain access to confidential data. The exploitation is considered low difficulty as it requires specific access to Connection resources and an update action to trigger.
Affected Software
Technical Details
Apache Airflow versions prior to 2.6.3 are susceptible to sensitive information disclosure. The vulnerability manifests when an authorized user, specifically one with access to 'Connection resources', performs an update operation within the Connection edit view. The mechanism of exploitation involves the system not properly restricting or sanitizing data displayed or handled during the update process, inadvertently exposing sensitive credentials or configuration details that should remain protected. An attacker who has legitimate access but without explicit authorization to view sensitive connection data can leverage the edit functionality to extract this information.
What is the Impact of CVE-2022-46651?
Successful exploitation may allow attackers to gain unauthorized access to sensitive data, potentially leading to compromise of connected systems or services, or further privilege escalation.
What is the Exploitability of CVE-2022-46651?
Exploitation complexity is low, but requires specific conditions. An attacker needs authenticated access with permissions to view and edit 'Connection resources' within Apache Airflow. This is a local or internal attack vector, as direct administrative access to the Airflow UI is a prerequisite. The exploitation occurs during the process of updating a connection, implying the attacker must actively modify a connection to trigger the information disclosure. The risk factor is increased if users with limited trust are granted extensive permissions over connection configurations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-46651?
Available Upgrade Options
- apache-airflow
- <2.6.3 → Upgrade to 2.6.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/airflow/commit/d01248382fe45a5f5a7fdeed4082a80c5f814ad8
- https://osv.dev/vulnerability/PYSEC-2023-103
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-103.yaml
- https://github.com/apache/airflow
- https://github.com/apache/airflow/pull/32309
- https://nvd.nist.gov/vuln/detail/CVE-2022-46651
- https://github.com/apache/airflow/pull/32309
- https://lists.apache.org/thread/n45h3y82og125rnlgt6rbm9szfb6q24d
- https://lists.apache.org/thread/n45h3y82og125rnlgt6rbm9szfb6q24d
What are Similar Vulnerabilities to CVE-2022-46651?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2023-49080 , CVE-2022-26135 , CVE-2023-46795 , CVE-2023-28432
