CVE-2022-27949
Apache Airflow subject to Exposure of Sensitive Information
7.5
HIGH
CVSS 3.1
EPSS 0.42%
Description
A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). This issue affects Apache Airflow prior to 2.3.1.
How to fix CVE-2022-27949
To remediate CVE-2022-27949, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.1 or later
- —upgrade to 2.3.1 or later
- —upgrade to 2.3.1 or later
Is CVE-2022-27949 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.3.1
- from 0, < 2.3.1
- from 0, < 2.3.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |