CVE-2024-50378
Information Disclosure vulnerability in apache-airflow (PyPI)
What is CVE-2024-50378 About?
Airflow versions before 2.10.3 suffer from an information disclosure vulnerability, exposing sensitive variable values in audit logs to authenticated users with audit log access. This allows unauthorized access to critical configuration data that should remain confidential. Exploitation is limited to specific authenticated users.
Affected Software
Technical Details
The vulnerability in Apache Airflow, affecting versions prior to 2.10.3, is an information disclosure flaw where sensitive variable values are inappropriately logged in audit trails. Specifically, when sensitive environment variables or configurations are set via the Airflow CLI, their values are captured and stored unencrypted within the Airflow database's audit log table. This means any authenticated user who has access to view the audit logs can retrieve these sensitive values (e.g., API keys, passwords, connection strings) that should otherwise be protected. The issue stems from a lack of proper sanitization or redaction of sensitive input during the logging process for CLI-based variable 설정.
What is the Impact of CVE-2024-50378?
Successful exploitation may allow attackers to obtain sensitive information, bypass access controls, compromise data confidentiality, and aid further attacks.
What is the Exploitability of CVE-2024-50378?
Exploitation of this vulnerability requires an authenticated user with specific access to audit logs. The complexity is low to moderate, as it involves querying or viewing the audit logs to retrieve the sensitive information. Remote access is possible if the Airflow UI or API for audit logs is accessible over the network. The prerequisite is the 'audit log access' privilege. No other special conditions are mentioned. The risk of exploitation is significantly higher in environments where multiple users have access to audit logs, or where proper logging hygiene and access controls for audit data are not strictly enforced. Attackers could leverage these exposed secrets for further lateral movement or privilege escalation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-50378?
Available Upgrade Options
- apache-airflow
- <2.10.3 → Upgrade to 2.10.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/17rxys384lzfd6nhm3fztzgvk47zy7jb
- https://github.com/apache/airflow/pull/43123
- https://github.com/apache/airflow
- https://lists.apache.org/thread/17rxys384lzfd6nhm3fztzgvk47zy7jb
- https://osv.dev/vulnerability/GHSA-j857-2pwm-jjmm
- https://github.com/apache/airflow/pull/43123
- http://www.openwall.com/lists/oss-security/2024/11/08/5
- https://nvd.nist.gov/vuln/detail/CVE-2024-50378
- http://www.openwall.com/lists/oss-security/2024/11/08/5
What are Similar Vulnerabilities to CVE-2024-50378?
Similar Vulnerabilities: CVE-2024-27906 , CVE-2023-50944 , CVE-2023-38038 , CVE-2023-46726 , CVE-2023-45585
