CVE-2023-45348 - Apache Airflow Vulnerability: Sensitive Configuration Exposure in Versions 2.7. and 2.7.1

The Apache Airflow project is an open-source platform designed to programmatically author, schedule, and monitor workflows. Recently, a vulnerability has been discovered in Apache Airflow versions 2.7. and 2.7.1. This vulnerability could potentially allow an authenticated user to access sensitive configuration information when the expose_config option is set to non-sensitive-only. By default, the expose_config option is set to False.

In this post, we will delve deeper into the details of this vulnerability, including the affected code snippet, original references, and exploit details. It is crucial to address this vulnerability by upgrading to a secure version of Apache Airflow.

Code Snippet

The configuration exposure occurs in the airflow/www/views.py file. When the expose_config flag is set to non-sensitive-only, the filtered_config function is called. This function is responsible for filtering out sensitive information, but it doesn't effectively filter everything it should.

def filtered_config(expose_config: str) -> Dict[str, Dict[str, Any]]:
    if expose_config == "non-sensitive-only":
       conf_dict = {
           section: {
               key: config.get(section, key) for key in config.options(section)
            } for section in config.sections()
       }
       remove_sensitive_info(conf_dict)
       return conf_dict
    .
    .
    .

Original References

1. Official Apache Airflow GitHub Repository: https://github.com/apache/airflow
2. Official Apache Airflow Documentation: https://airflow.apache.org/docs/apache-airflow/stable/index.html

Exploit Details

To exploit this vulnerability, an attacker with authentication privileges must have access to the application's configuration page. When the expose_config option is set to non-sensitive-only, the attacker can view sensitive configuration data that should not be exposed.

Although not directly exploitable, this vulnerability could provide an attacker with valuable information about the application infrastructure, secret keys, database credentials, and other critical data. This could subsequently be used to execute further attacks on the systems.

Mitigation

To prevent unauthorized access to sensitive configuration information, it is highly recommended to upgrade to a version of Apache Airflow that is not affected by this vulnerability:

1. Verify the current version of your Apache Airflow installation by checking the __version__ attribute or using the command line:

$ airflow version

If you are using version 2.7. or 2.7.1, upgrade your Apache Airflow installation

$ pip install --upgrade apache-airflow

Verify that the upgrade was successful by checking the version number again.

In scenarios where an upgrade is not feasible, take extra precaution by ensuring that only authorized and trusted users have access to the configuration page.

Conclusion

CVE-2023-45348 highlights the importance of maintaining an up-to-date software stack and taking the necessary precautions to protect sensitive data. Make sure to upgrade to a secure version of Apache Airflow and follow best security practices to safeguard your system from unauthorized access. Stay vigilant and keep your applications safe!

Timeline

Published on: 10/14/2023 10:15:10 UTC
Last modified on: 11/16/2023 02:22:46 UTC