PT-2024-34168 · Apache · Apache Airflow

Saurabh Banawar

Published

2024-11-08

Updated

2026-03-11

CVE-2024-50378

CVSS v3.1

4.9

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Apache Airflow versions prior to 2.10.3

Description: The issue allows authenticated users with audit log access to see sensitive values in audit logs that they should not see. This occurs when sensitive variables are set via the Airflow CLI, resulting in the values being stored unencrypted in the Airflow database. The risk is limited to users with audit log access.

Recommendations: For Apache Airflow versions prior to 2.10.3, upgrade to Airflow 2.10.3 or a later version to address this issue. Additionally, users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-201

Related Identifiers

BIT-AIRFLOW-2024-50378

CVE-2024-50378

GHSA-J857-2PWM-JJMM

Affected Products

Apache Airflow

PT-2024-34168 · Apache · Apache Airflow

CVE-2024-50378

Weakness Enumeration

Related Identifiers

Affected Products

References · 18