We use cookies to improve your experience on our site.
AVID-2026-R1216
Description
Apache Airflow AWS Provider: Arbitrary file read via AWS provider (CVE-2023-25956)
Details
Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider.
This issue affects Apache Airflow AWS Provider versions before 7.2.1.
Reason for inclusion in AVID: CVE-2023-25956 describes an Arbitrary file read vulnerability in the Apache Airflow AWS Provider. Airflow is commonly used to orchestrate data/ML pipelines and AI workflows, making this a vulnerability in a component that can be part of the software supply chain for general-purpose AI systems. It is a security vulnerability with potential impact on AI data/models when used in AI deployments. The CVE and references provide sufficient signal and affected versions.
References
- NVD entry
- https://github.com/apache/airflow/pull/29587
- https://lists.apache.org/thread/07pl9y4gdpw2c6rzqm77dvkm2z2kb5gv
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Airflow AWS Provider |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-209 | CWE-209 Generation of Error Message Containing Sensitive Information |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-02-24
- Version: 0.3.3
- AVID Entry