U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-31869

Change History

New CVE Received by NIST 4/18/2024 4:15:38 AM

Action Type Old Value New Value
Added CWE

Apache Software Foundation CWE-200
Added Description

Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "configuration" UI page when "non-sensitive-only" was set as "webserver.expose_config" configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your "expose_config" configuration to False as a workaround. This is similar, but different to  CVE-2023-46288 https://github.com/advisories/GHSA-9qqg-mh7c-chfq  which concerned API, not UI configuration page.
Added Reference

Apache Software Foundation https://github.com/apache/airflow/pull/38795 [No types assigned]
Added Reference

Apache Software Foundation https://lists.apache.org/thread/pz6vg7wcjk901rmsgt86h76g6kfcgtk3 [No types assigned]