Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2023-51702 #2475

Closed
GoVulnBot opened this issue Jan 24, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2023-51702 #2475

GoVulnBot opened this issue Jan 24, 2024 · 1 comment
Assignees
@tatianab
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2023-51702 references github.com/apache/airflow, which may be a Go module.

Description:
Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metadata without any encryption. Additionally, if used with an Airflow version between 2.3.0 and 2.6.0, the configuration dictionary will be logged as plain text in the triggerer service without masking. This allows anyone with access to the metadata or triggerer log to obtain the configuration file and use it to access the Kubernetes cluster.

This behavior was changed in version 7.0.0, which stopped serializing the file contents and started providing the file path instead to read the contents into the trigger. Users are recommended to upgrade to version 7.0.0, which fixes this issue.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/apache/airflow
      vulnerable_at: 1.8.2
      packages:
        - package: Apache Airflow CNCF Kubernetes provider
cves:
    - CVE-2023-51702
references:
    - fix: https://github.com/apache/airflow/pull/29498
    - fix: https://github.com/apache/airflow/pull/30110
    - fix: https://github.com/apache/airflow/pull/36492
    - web: https://lists.apache.org/thread/89x3q6lz5pykrkr1fkr04k4rfn9pvnv9
@tatianab tatianab self-assigned this Jan 24, 2024
@tatianab tatianab added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Jan 24, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/557819 mentions this issue: data/excluded: batch add 10 excluded reports

@GoVulnBot GoVulnBot mentioned this issue Feb 20, 2024
Closed
This was referenced Feb 29, 2024
Closed
Closed
This was referenced Apr 3, 2024
Closed
Closed
This was referenced Apr 18, 2024
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue May 1, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue May 14, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Jun 14, 2024
Closed
This was referenced Jul 17, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot