CVE-2023-51702
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in apache-airflow (PyPI)
What is CVE-2023-51702 About?
This vulnerability in Apache Airflow versions 5.2.0 and later, when using deferrable mode with a Kubernetes configuration file path, leads to the exposure of sensitive Kubernetes configuration details. The configuration file is serialized and stored in metadata or logged in plaintext, allowing unauthorized access to Kubernetes cluster credentials. Exploitation is relatively easy for anyone with access to the metadata or triggerer logs.
Affected Software
- apache-airflow
- >=2.3.0, <2.6.1
- apache-airflow-providers-cncf-kubernetes
- >=5.2.0, <7.0.0
Technical Details
The vulnerability affects Apache Airflow when using its deferrable mode with a Kubernetes configuration file for authentication. In versions since 5.2.0, instead of securely managing the file path, the contents of the Kubernetes configuration file are serialized as a dictionary and stored unencrypted in the Airflow metadata database. Additionally, for Airflow versions between 2.3.0 and 2.6.0, this configuration dictionary is logged in plaintext within the triggerer service logs, without any masking. This design flaw allows any actor with access to the Airflow metadata database or the triggerer logs to retrieve the full Kubernetes configuration, including sensitive credentials, thereby gaining unauthorized access to the Kubernetes cluster.
What is the Impact of CVE-2023-51702?
Successful exploitation may allow attackers to disclose sensitive information, including Kubernetes cluster credentials, leading to unauthorized access to the cluster and its resources.
What is the Exploitability of CVE-2023-51702?
Exploitation requires access to the Airflow metadata database or the triggerer service logs. The complexity is low, as the sensitive information is stored or logged in plaintext. No specific authentication to the Airflow UI is required for post-exploitation, but access to underlying storage or log systems is necessary. This can be a local or remote exploit depending on the accessibility of the metadata database or logs. The primary prerequisite is the use of deferrable mode with a Kubernetes configuration file in affected Airflow versions and the ability to access the data storage or log files.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-51702?
Available Upgrade Options
- apache-airflow-providers-cncf-kubernetes
- >=5.2.0, <7.0.0 → Upgrade to 7.0.0
- apache-airflow
- >=2.3.0, <2.6.1 → Upgrade to 2.6.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-mg2x-mggj-6955
- https://github.com/apache/airflow/pull/36492
- http://www.openwall.com/lists/oss-security/2024/01/24/3
- https://github.com/apache/airflow/pull/30110
- https://github.com/apache/airflow/pull/30110
- https://github.com/apache/airflow
- http://www.openwall.com/lists/oss-security/2024/01/24/3
- https://github.com/apache/airflow/pull/29498
- https://nvd.nist.gov/vuln/detail/CVE-2023-51702
- https://lists.apache.org/thread/89x3q6lz5pykrkr1fkr04k4rfn9pvnv9
What are Similar Vulnerabilities to CVE-2023-51702?
Similar Vulnerabilities: CVE-2023-29479 , CVE-2023-25587 , CVE-2023-28956 , CVE-2022-47408 , CVE-2022-38706
