We use cookies to improve your experience on our site.
AVID-2026-R1169
Description
Apache Airflow: Security vulnerability on AirFlow Connections (CVE-2022-46651)
Details
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability.
Reason for inclusion in AVID: CVE-2022-46651 describes a security vulnerability in Apache Airflow that allows an unauthorized actor to access sensitive information via the Connection edit view. Airflow is a widely used orchestration tool in AI/ML pipelines, and vulnerabilities in such software can impact the deployment, management, and security of AI systems. This vulnerability is software-based (not hardware/firmware), affects components commonly used to build/run AI workflows, constitutes a security vulnerability (CWE-200), and the report provides evidence (NVD entry, Apache PR) and a fix in version 2.6.3.
References
- NVD entry
- https://github.com/apache/airflow/pull/32309
- https://lists.apache.org/thread/n45h3y82og125rnlgt6rbm9szfb6q24d
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Airflow |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-200 | CWE-200 Exposure of Sensitive Information to an Unauthorized Actor |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-07-12
- Version: 0.3.3
- AVID Entry