CVE-2024-31869

Name of the Vulnerable Software and Affected Versions Airflow versions 2.7.0 through 2.8.4

Description The issue is related to insufficient protection of internal data, allowing an authenticated user to access sensitive provider configuration via the "configuration" UI page when the "non-sensitive-only" option is set as "webserver.expose config" configuration. This primarily affects the Celery provider, which has sensitive configurations.

Recommendations For Airflow versions 2.7.0 through 2.8.4, migrate to Airflow 2.9 or change the "expose config" configuration to False as a workaround.