CVE-2020-17511
Apache Airflow logs passwords in plaintext
2.8
LOW
CVSS 3.1
EPSS 0.49%
Description
In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field.
How to fix CVE-2020-17511
To remediate CVE-2020-17511, upgrade the affected package to a fixed version below.
- Bitnami/airflow—upgrade to 1.10.13 or later
- —upgrade to 1.10.13 or later
- —upgrade to 1.10.13 or later
Is CVE-2020-17511 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.10.13
- from 0, < 1.10.13
- from 0, < 1.10.13
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | LOW2.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |