CVE-2023-25695
sensitive information vulnerability in apache-airflow (PyPI)
What is CVE-2023-25695 About?
This vulnerability in Apache Airflow allows for the generation of error messages containing sensitive information, such as Python or Airflow versions and node names. When these tracebacks are displayed to unauthenticated users, it provides valuable reconnaissance data to potential attackers, making it easy to exploit. The impact is information leakage that facilitates targeted attacks.
Affected Software
- apache-airflow
- <2.5.2
- <2.5.2rc1
Technical Details
The vulnerability arises from the way Apache Airflow handles and displays error tracebacks to unauthenticated users. Prior to version 2.5.2, if an unauthenticated user triggered an error within the application (e.g., by requesting a non-existent page or providing invalid input), the resulting traceback would contain detailed system information. This sensitive information could include the specific Python version in use, the exact Apache Airflow version, and the hostname or node identifier of the server. By exposing these implementation details, attackers gain valuable insights into the target environment, which can be used to identify known vulnerabilities for those specific software versions or to map out the network architecture, thus enabling more precise and effective subsequent attacks.
What is the Impact of CVE-2023-25695?
Successful exploitation may allow attackers to gather critical reconnaissance information about the underlying system, aiding in the planning and execution of more sophisticated, targeted attacks, and compromising data confidentiality related to system specifics.
What is the Exploitability of CVE-2023-25695?
Exploitation involves triggering an error condition within Apache Airflow as an unauthenticated user. This is typically low complexity, requiring basic web request manipulation to cause an error that generates a detailed traceback. No authentication or specific privileges are required, making it an unauthenticated remote attack. The primary prerequisite is the ability to send requests to the Airflow web interface. The risk factor is heightened by the potential for unauthenticated information disclosure, providing attackers with a significant reconnaissance advantage without needing prior access.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-25695?
Available Upgrade Options
- apache-airflow
- <2.5.2rc1 → Upgrade to 2.5.2rc1
- apache-airflow
- <2.5.2 → Upgrade to 2.5.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/z8w6ckzs61ql365tv4d19k82o67r15p2
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-2.yaml
- https://nvd.nist.gov/vuln/detail/CVE-2023-25695
- https://osv.dev/vulnerability/PYSEC-2023-2
- https://github.com/apache/airflow
- https://github.com/apache/airflow/commit/965e76d9ed00ef354a834739ac46f24068630951
- https://github.com/apache/airflow/pull/29501
- https://osv.dev/vulnerability/GHSA-h6g5-wqqr-3mw3
- https://github.com/apache/airflow/pull/29501
- https://lists.apache.org/thread/z8w6ckzs61ql365tv4d19k82o67r15p2
What are Similar Vulnerabilities to CVE-2023-25695?
Similar Vulnerabilities: CVE-2022-40604 , CVE-2020-13936 , CVE-2018-11776 , CVE-2017-7661 , CVE-2014-0050
