Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-k9xk-wwbf-3bd5
Summary
Insertion of Sensitive Information into Log File
Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metadata without any encryption. Additionally, if used with an Airflow version between 2.3.0 and 2.6.0, the configuration dictionary will be logged as plain text in the triggerer service without masking. This allows anyone with access to the metadata or triggerer log to obtain the configuration file and use it to access the Kubernetes cluster.

This behavior was changed in version 7.0.0, which stopped serializing the file contents and started providing the file path instead to read the contents into the trigger. Users are recommended to upgrade to version 7.0.0, which fixes this issue.
Aliases
0
alias CVE-2023-51702
1
alias GHSA-mg2x-mggj-6955
Fixed_packages
0
url pkg:pypi/apache-airflow@2.6.1
purl pkg:pypi/apache-airflow@2.6.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-3h3z-bfsc-jqax
2
vulnerability VCID-4ga6-4111-dyc9
3
vulnerability VCID-56eq-awhd-d3fr
4
vulnerability VCID-5cpd-kjpb-ekhv
5
vulnerability VCID-5zmy-2ape-7qfa
6
vulnerability VCID-6vg9-hu9u-q7c3
7
vulnerability VCID-71hr-1ews-9qa6
8
vulnerability VCID-835a-arqz-g7h7
9
vulnerability VCID-91n6-evww-zybp
10
vulnerability VCID-98yf-mvnw-d3b4
11
vulnerability VCID-a64u-53x6-dfge
12
vulnerability VCID-amac-hqnj-xfgz
13
vulnerability VCID-cahz-4dy7-bbe9
14
vulnerability VCID-csqr-pdvv-gfbh
15
vulnerability VCID-dh4r-77xc-cbas
16
vulnerability VCID-ez45-qkb4-xkba
17
vulnerability VCID-fbjk-2uvy-mqfc
18
vulnerability VCID-h6sp-398p-pbeg
19
vulnerability VCID-hy75-nfg7-zfae
20
vulnerability VCID-j86y-n37n-n7ft
21
vulnerability VCID-mcbu-b45m-k3ck
22
vulnerability VCID-njyy-ywer-x7bf
23
vulnerability VCID-pypb-cezm-rkb2
24
vulnerability VCID-q4rb-1yt3-rqdk
25
vulnerability VCID-ryct-uaw3-fyfc
26
vulnerability VCID-t3ap-dzfp-1bd6
27
vulnerability VCID-t476-g5u5-1yeh
28
vulnerability VCID-u5wv-47m4-8yd6
29
vulnerability VCID-wb11-e3rz-e3cf
30
vulnerability VCID-x9ns-34nt-gfer
31
vulnerability VCID-xh7u-8ze6-cqhk
32
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.6.1
1
url pkg:pypi/apache-airflow-providers-cncf-kubernetes@7.0.0
purl pkg:pypi/apache-airflow-providers-cncf-kubernetes@7.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow-providers-cncf-kubernetes@7.0.0
Affected_packages
0
url pkg:pypi/apache-airflow@2.3.0
purl pkg:pypi/apache-airflow@2.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-2ysx-9hz5-fyfm
2
vulnerability VCID-3h3z-bfsc-jqax
3
vulnerability VCID-4bps-htex-tqgk
4
vulnerability VCID-4ga6-4111-dyc9
5
vulnerability VCID-4xax-xw67-2qfv
6
vulnerability VCID-56eq-awhd-d3fr
7
vulnerability VCID-5cpd-kjpb-ekhv
8
vulnerability VCID-5nys-mzgw-4khd
9
vulnerability VCID-5yxa-ubfq-fqdx
10
vulnerability VCID-5zmy-2ape-7qfa
11
vulnerability VCID-6gjt-zsju-47a3
12
vulnerability VCID-6pk8-baws-e3dt
13
vulnerability VCID-6vg9-hu9u-q7c3
14
vulnerability VCID-71hr-1ews-9qa6
15
vulnerability VCID-835a-arqz-g7h7
16
vulnerability VCID-91n6-evww-zybp
17
vulnerability VCID-98yf-mvnw-d3b4
18
vulnerability VCID-amac-hqnj-xfgz
19
vulnerability VCID-b3w3-h9cm-ufgm
20
vulnerability VCID-cahz-4dy7-bbe9
21
vulnerability VCID-dh4r-77xc-cbas
22
vulnerability VCID-ez45-qkb4-xkba
23
vulnerability VCID-fbjk-2uvy-mqfc
24
vulnerability VCID-gz6e-b7dz-5qdf
25
vulnerability VCID-h6sp-398p-pbeg
26
vulnerability VCID-hah6-e5fc-juc5
27
vulnerability VCID-hy75-nfg7-zfae
28
vulnerability VCID-j86y-n37n-n7ft
29
vulnerability VCID-k9xk-wwbf-3bd5
30
vulnerability VCID-kh46-xrgm-9udx
31
vulnerability VCID-mcbu-b45m-k3ck
32
vulnerability VCID-njyy-ywer-x7bf
33
vulnerability VCID-pypb-cezm-rkb2
34
vulnerability VCID-q84t-8dac-93dm
35
vulnerability VCID-qehu-58hj-67gn
36
vulnerability VCID-qmpd-946c-gqbc
37
vulnerability VCID-qr9h-6dg8-gkh3
38
vulnerability VCID-ryct-uaw3-fyfc
39
vulnerability VCID-suwt-h1ze-mydu
40
vulnerability VCID-t3ap-dzfp-1bd6
41
vulnerability VCID-t476-g5u5-1yeh
42
vulnerability VCID-u5wv-47m4-8yd6
43
vulnerability VCID-x9ns-34nt-gfer
44
vulnerability VCID-xh7u-8ze6-cqhk
45
vulnerability VCID-ydhm-m8vh-mber
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.3.0
1
url pkg:pypi/apache-airflow-providers-cncf-kubernetes@5.2.0
purl pkg:pypi/apache-airflow-providers-cncf-kubernetes@5.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-k9xk-wwbf-3bd5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow-providers-cncf-kubernetes@5.2.0
References
0
reference_url https://github.com/apache/airflow/pull/29498
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/29498
1
reference_url https://github.com/apache/airflow/pull/30110
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/30110
2
reference_url https://github.com/apache/airflow/pull/36492
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/36492
3
reference_url https://lists.apache.org/thread/89x3q6lz5pykrkr1fkr04k4rfn9pvnv9
reference_id
reference_type
scores
url https://lists.apache.org/thread/89x3q6lz5pykrkr1fkr04k4rfn9pvnv9
4
reference_url http://www.openwall.com/lists/oss-security/2024/01/24/3
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2024/01/24/3
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-51702
reference_id CVE-2023-51702
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-51702
6
reference_url https://github.com/advisories/GHSA-mg2x-mggj-6955
reference_id GHSA-mg2x-mggj-6955
reference_type
scores
url https://github.com/advisories/GHSA-mg2x-mggj-6955
Weaknesses
0
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
1
cwe_id 312
name Cleartext Storage of Sensitive Information
description The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
2
cwe_id 532
name Insertion of Sensitive Information into Log File
description Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
3
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
Severity_range_scorenull
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-k9xk-wwbf-3bd5