CVE-2023-51702

Name of the Vulnerable Software and Affected Versions Airflow versions 5.2.0 through 6.x Airflow versions 2.3.0 through 2.6.0

Description The Airflow worker serializes a Kubernetes configuration file as a dictionary and sends it to the triggerer by storing it in metadata without any encryption when using deferrable mode. This allows anyone with access to the metadata or triggerer log to obtain the configuration file and use it to access the Kubernetes cluster. The configuration dictionary will be logged as plain text in the triggerer service without masking for Airflow versions between 2.3.0 and 2.6.0.

Recommendations For Airflow versions 5.2.0 through 6.x, upgrade to version 7.0.0 to fix the issue. For Airflow versions 2.3.0 through 2.6.0, upgrade to version 7.0.0 to fix the issue and prevent logging of the configuration dictionary in plain text. As a temporary workaround, consider restricting access to the metadata and triggerer logs to minimize the risk of exploitation.