You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Kaxil Naik <ka...@apache.org> on 2020/12/11 13:35:56 UTC

CVE-2020-17511: Apache Airflow Airflow admin password gets logged in plain text

Hi Airflow community,

Please find below the information about a vulnerability which has been
addressed in Apache Airflow v1.10.13. Airflow 1.10.13 contains a bug so I
would recommend users to upgrade to Airflow 1.10.14 (released yesterday):

*CVE-2020-17511: Apache Airflow Airflow admin password gets logged in plain
text*

*Description*:
In Airflow < 1.10.13, when creating a user using airflow CLI, the password
gets logged in plain text in the Log table in Airflow Metadatase. Same
happened when creating a Connection with a password field.

*Credit*:
Ali Al-Habsi of Accellion


Thanks.
Kaxil @ Airflow PMC