{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50344?format=json","vulnerability_id":"VCID-1fj3-3bdw-nbch","summary":"Apache Airflow exposes sensitive information in its log files\nAirflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. Users who previously used the CLI to set connections should manually delete entries with those connection sensitive values from the log table. This is similar but not the same issue as CVE-2024-50378","aliases":[{"alias":"CVE-2025-27555"},{"alias":"GHSA-8r55-rv5w-6pfm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32056?format=json","purl":"pkg:pypi/apache-airflow@2.11.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2xr2-w3hk-auck"},{"vulnerability":"VCID-91n6-evww-zybp"},{"vulnerability":"VCID-dh4r-77xc-cbas"},{"vulnerability":"VCID-t3ap-dzfp-1bd6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1"}],"affected_packages":[],"references":[{"reference_url":"https://github.com/apache/airflow","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/airflow"},{"reference_url":"https://github.com/apache/airflow/pull/61882","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/airflow/pull/61882"},{"reference_url":"https://lists.apache.org/thread/nxovkp319jo8vg498gql1yswtb2frbkw","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread/nxovkp319jo8vg498gql1yswtb2frbkw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27555","reference_id":"CVE-2025-27555","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27555"},{"reference_url":"https://github.com/advisories/GHSA-8r55-rv5w-6pfm","reference_id":"GHSA-8r55-rv5w-6pfm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8r55-rv5w-6pfm"}],"weaknesses":[{"cwe_id":201,"name":"Insertion of Sensitive Information Into Sent Data","description":"The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor."},{"cwe_id":532,"name":"Insertion of Sensitive Information into Log File","description":"Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1fj3-3bdw-nbch"}