CVE-2020-17511

{"id": "CVE-2020-17511", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2020-12-14T10:15:12.373", "references": [{"url": "https://lists.apache.org/thread.html/ree782a29d927b96bf0b39fb92e2f1f09ea3112a985f7a08ce93765ac%40%3Cusers.airflow.apache.org%3E", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/ree782a29d927b96bf0b39fb92e2f1f09ea3112a985f7a08ce93765ac%40%3Cusers.airflow.apache.org%3E", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-312"}]}], "descriptions": [{"lang": "en", "value": "In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection with a password field."}, {"lang": "es", "value": "En Airflow versiones anteriores a 1.10.13, cuando se crea un usuario usando la CLI de airflow, la contrase\u00f1a se registra en texto plano en la tabla de Registro en Airflow Metadatase. Lo mismo sucedi\u00f3 cuando se cre\u00f3 una Conexi\u00f3n con un campo de contrase\u00f1a."}], "lastModified": "2024-11-21T05:08:15.580", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C49F036-33E7-4903-8B4C-DBA313191E97", "versionEndExcluding": "1.10.13"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}