Home > Vulnerability Database > CVE-2024-50378

Mend.io Vulnerability Database

CVE-2024-50378

Good to know:

Date: November 8, 2024

Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table.

Language: Python

Severity Score

4.9

Related Resources (6)

Url: https://github.com/apache/airflow/pull/43123

Url: https://github.com/apache/airflow

Url: https://lists.apache.org/thread/17rxys384lzfd6nhm3fztzgvk47zy7jb

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-50378

Url: http://www.openwall.com/lists/oss-security/2024/11/08/5

Url: https://www.mend.io/vulnerability-database/CVE-2024-50378

Severity Score

4.9

Weakness Type (CWE)

Insertion of Sensitive Information Into Sent Data

CWE-201

Top Fix

Upgrade Version

Upgrade to version apache-airflow - 2.10.3

Learn More

CVSS v3.1

Base Score:	4.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-50378

Good to know:

Date: November 8, 2024

Language: Python

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?