mirror of
https://github.com/fkie-cad/nvd-json-data-feeds.git
synced 2025-05-29 01:31:20 +00:00
68 lines
3.5 KiB
JSON
68 lines
3.5 KiB
JSON
{
|
|
"id": "CVE-2024-45784",
|
|
"sourceIdentifier": "security@apache.org",
|
|
"published": "2024-11-15T09:15:14.897",
|
|
"lastModified": "2024-11-21T09:38:05.210",
|
|
"vulnStatus": "Awaiting Analysis",
|
|
"cveTags": [],
|
|
"descriptions": [
|
|
{
|
|
"lang": "en",
|
|
"value": "Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability.\u00a0If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets."
|
|
},
|
|
{
|
|
"lang": "es",
|
|
"value": "Las versiones de Apache Airflow anteriores a la 2.10.3 contienen una vulnerabilidad que podr\u00eda exponer variables de configuraci\u00f3n confidenciales en los registros de tareas. Esta vulnerabilidad permite a los autores de DAG registrar variables de configuraci\u00f3n confidenciales de forma intencional o no intencionada. Los usuarios no autorizados podr\u00edan acceder a estos registros, lo que podr\u00eda exponer datos cr\u00edticos que podr\u00edan explotarse para comprometer la seguridad de la implementaci\u00f3n de Airflow. En la versi\u00f3n 2.10.3, los secretos ahora est\u00e1n enmascarados en los registros de tareas para evitar que las variables de configuraci\u00f3n confidenciales se expongan en la salida del registro. Los usuarios deben actualizar a Airflow 2.10.3 o la versi\u00f3n m\u00e1s reciente para eliminar esta vulnerabilidad. Si sospecha que los autores de DAG podr\u00edan haber registrado los valores secretos en los registros y que sus registros no est\u00e1n protegidos adicionalmente, tambi\u00e9n se recomienda que actualice esos secretos."
|
|
}
|
|
],
|
|
"metrics": {
|
|
"cvssMetricV31": [
|
|
{
|
|
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
|
|
"type": "Secondary",
|
|
"cvssData": {
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
|
"baseScore": 7.5,
|
|
"baseSeverity": "HIGH",
|
|
"attackVector": "NETWORK",
|
|
"attackComplexity": "LOW",
|
|
"privilegesRequired": "NONE",
|
|
"userInteraction": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "NONE",
|
|
"availabilityImpact": "NONE"
|
|
},
|
|
"exploitabilityScore": 3.9,
|
|
"impactScore": 3.6
|
|
}
|
|
]
|
|
},
|
|
"weaknesses": [
|
|
{
|
|
"source": "security@apache.org",
|
|
"type": "Secondary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-1295"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"references": [
|
|
{
|
|
"url": "https://github.com/apache/airflow/pull/43040",
|
|
"source": "security@apache.org"
|
|
},
|
|
{
|
|
"url": "https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h",
|
|
"source": "security@apache.org"
|
|
},
|
|
{
|
|
"url": "http://www.openwall.com/lists/oss-security/2024/11/15/1",
|
|
"source": "af854a3a-2127-422b-91ae-364da2661108"
|
|
}
|
|
]
|
|
} |