Secrets not masked in UI when sensitive variables are set via Airflow cli
Summary by Internet Bug Bounty
Timeline
submitted a report to Internet Bug Bounty.
When a sensitive variable is set using Airflow cli, it should be masked on every instance where it is referenced in the UI. However it has been observed that it is masked on the Variable List page and other pages but not the Audit logs page.
Allocated CVE: CVE-2024-50378
Apache Airflow release notes that confirm about fixing the issue in latest release 2.10.3: https://airflow.apache.org/docs/apache-airflow/stable/release_notes.html#airflow-2-10-3-2024-11-04
Pull request that fix the issue: https://github.com/apache/airflow/pull/43123
Email communication between me (reporter) and the security team of Apache Airflow:
{F3741395}
Impact
Sensitive information disclosed on UI without masking.
posted a comment.
Hi Team,
Any updates on this? I am waiting for the 1st response.
Thanks,
Saurabh
posted a comment.
Hi Team,
Here is the link to the announced security advisory that also confirms the CVE : https://www.cve.org/CVERecord?id=CVE-2024-50378. (I had not put this in the original report so posted as comment)
Thanks,
Saurabh
posted a comment.
Hi Team,
Any updates on this? It has been over 18days since I reported this issue and I did not even get the first response from your side?
Thanks,
Saurabh
rewarded saurabhb with a bounty.
Thank you for your contribution to making the Internet safer!
This bounty was awarded with a 80/20% split. An additional $126 will be paid to the project.
HackerOne staff
closed the report and changed the status to Resolved. Thanks for the submission!
HackerOne staff
requested to disclose this report. posted a comment.
posted a comment.
@pr0tag0nist , Can you please reply to my previous comment? Thanks !
posted a comment.
@pr0tag0nist , Can you please reply to my previous comment? Thanks !
This report has been disclosed.
HackerOne staff
posted a comment. Apologies for the delay in response @saurabhb. The attachment has been removed