CVE-2024-45784
Exposure of Sensitive Data vulnerability in airflow (PyPI)
What is CVE-2024-45784 About?
This vulnerability in Apache Airflow allows sensitive configuration variables to be exposed in task logs unintentionally or intentionally by DAG authors. This could lead to unauthorized users accessing critical data, potentially compromising the security of the Airflow deployment. Exploitation is relatively easy if an attacker gains access to the logs.
Affected Software
- airflow
- <2.10.3
- apache-airflow
- <2.10.3
Technical Details
Apache Airflow versions before 2.10.3 did not properly mask sensitive configuration variables within task logs. DAG authors, who have legitimate access to write DAGs, could either inadvertently or maliciously include sensitive variables in their logging output. When these tasks are executed, the sensitive data is written to the task logs. An attacker who gains access to these logs, either through compromised credentials, insufficient log access controls, or other means, can then extract the exposed sensitive configuration variables. These variables could include API keys, database credentials, or other secrets vital to the Airflow deployment, enabling further unauthorized access or system compromise.
What is the Impact of CVE-2024-45784?
Successful exploitation may allow attackers to gain unauthorized access to sensitive configuration data, enabling further compromise of the system, data exfiltration, or escalation of privileges within the Airflow environment.
What is the Exploitability of CVE-2024-45784?
Exploitation complexity is moderate, primarily relying on an attacker's ability to access task logs after a DAG author has caused sensitive data to be logged. Prerequisites include legitimate DAG authoring capabilities (though it can be unintentional) or an existing foothold to access log files. No authentication is required at the point of log access if the logs are externally exposed or if an attacker has already bypassed initial authentication. Privilege requirements depend on the method of log access; if logs are poorly secured, low-privilege access might suffice. Access is typically local to the system storing the logs, but could be remote if logs are accessible over a network. The likelihood of exploitation increases if logging practices are not reviewed, or if log storage has weak access controls.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-45784?
Available Upgrade Options
- apache-airflow
- <2.10.3 → Upgrade to 2.10.3
- airflow
- <2.10.3 → Upgrade to 2.10.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-46c3-5xc5-wwhv
- https://github.com/apache/airflow/pull/43040
- https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h
- https://nvd.nist.gov/vuln/detail/CVE-2024-45784
- https://github.com/apache/airflow
- https://github.com/apache/airflow/pull/43040
- http://www.openwall.com/lists/oss-security/2024/11/15/1
- https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h
- https://osv.dev/vulnerability/PYSEC-2024-182
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-182.yaml
What are Similar Vulnerabilities to CVE-2024-45784?
Similar Vulnerabilities: CVE-2023-42781 , CVE-2023-42663 , CVE-2023-50943 , GHSA-xr7q-jx4m-x55m , CVE-2023-49080
