CVE-2023-40712
Information Disclosure vulnerability in apache-airflow (PyPI)
What is CVE-2023-40712 About?
This vulnerability in Apache Airflow, affecting versions before 2.7.1, allows authenticated users to craft a specific URL to unmask secret configurations of tasks that are otherwise hidden in the UI. It can lead to unauthorized access to sensitive information, posing a high impact due to potential exposure of secrets. Exploitation requires prior authentication and knowledge of the system, making it moderately difficult to exploit.
Affected Software
Technical Details
Apache Airflow versions prior to 2.7.1 are susceptible to an information disclosure vulnerability. An authenticated user, who has been granted permission to view a specific task or DAG within the Airflow UI, can manipulate the URL to bypass the UI's masking functionality for secret configurations. This bypass mechanism allows the user to construct a URL that triggers the retrieval and display of task-specific secret configurations (e.g., API keys, database credentials) that are intentionally obscured from casual viewing. The vulnerability likely stems from insufficient validation or sanitization of URL parameters in the backend logic that retrieves configuration details, allowing for direct access to masked data when specific endpoints are invoked with crafted parameters.
What is the Impact of CVE-2023-40712?
Successful exploitation may allow attackers to gain unauthorized access to sensitive configuration data, including API keys, database credentials, or other secret information, leading to further system compromise, unauthorized access, or privilege escalation.
What is the Exploitability of CVE-2023-40712?
Exploitation requires an authenticated user with at least 'see task/dag' permissions in the Airflow UI. The complexity is moderate, involving the crafting of a specific URL, which implies some level of understanding of Airflow's internal URL structures or endpoints. Authentication is a prerequisite. Access is typically remote, as users interact with the Airflow UI over a network. There are no specific special conditions other than the user's existing permissions. The risk factors that increase exploitation likelihood include highly privileged authenticated users who might intentionally or unintentionally trigger the vulnerability, or insider threats.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-40712?
Available Upgrade Options
- apache-airflow
- <2.7.1 → Upgrade to 2.7.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-mjqh-v5f2-g2mw
- https://nvd.nist.gov/vuln/detail/CVE-2023-40712
- https://github.com/apache/airflow
- https://github.com/apache/airflow/pull/33516
- https://github.com/apache/airflow/pull/33516
- https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts
- https://github.com/apache/airflow/commit/4390524a41fdfd2d57f1d2dc98ad7b4009c8399e
- https://github.com/apache/airflow/commit/d9814eb3a2fc1dbbb885a0a2c1b7a23ce1cfa148
- https://lists.apache.org/thread/jw1yv4lt6hpowqbb0x4o3tdp0jhx2bts
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-171.yaml
What are Similar Vulnerabilities to CVE-2023-40712?
Similar Vulnerabilities: CVE-2021-37580 , CVE-2021-41270 , CVE-2022-24329 , CVE-2022-26135 , CVE-2021-36728
