Apache Airflow: Secrets not masked in UI when sensitive variables are set via Airflow cli

Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table.

N/A

通过发送数据的信息暴露

Apache Airflow 安全漏洞

Apache Airflow是美国阿帕奇（Apache）基金会的一套用于创建、管理和监控工作流程的开源平台。该平台具有可扩展和动态监控等特点。 Apache Airflow 2.10.3之前版本存在安全漏洞，该漏洞源于允许具有审计日志访问权限的经过身份验证的用户查看审计日志中的敏感值。

N/A

N/A