Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN856
_____________________________________________________________________

DATE                : 15/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow versions prior
                                      to 3.1.4.

=====================================================================
https://lists.apache.org/thread/mv9hzsx8grjf7gdlkxwppnpbtogtls2g
https://lists.apache.org/thread/1qzlrjo2wmlzs0rrgzgslj2pzkor0dr2
_____________________________________________________________________

CVE-2025-66388: Apache Airflow: Secrets in rendered templates not
redacted properly and exposed in the UI
Severity: low 

Affected versions:

- Apache Airflow (apache-airflow) 3.1.0 before 3.1.4

Description:

A vulnerability in Apache Airflow allowed authenticated UI users to
view secret values in rendered templates due to secrets not being
properly redacted, potentially exposing secrets to users without
the appropriate authorization.

Users are recommended to upgrade to version 3.1.4, which fixes
this issue.

Credit:

William Ashe (finder)
Amogh Desai (remediation developer)

References:

https://github.com/apache/airflow/pull/58772
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-66388

_____________________________________________________________________

CVE-2025-65995: Apache Airflow: Disclosure of secrets to UI via kwargs
Severity: moderate 

Affected versions:

- Apache Airflow (apache-airflow) before 3.1.4

Description:

When a DAG failed during parsing, Airflow’s error-reporting in the UI
could include the full kwargs passed to the operators. If those
kwargs contained sensitive values (such as secrets), they might be
exposed in the UI tracebacks to authenticated users who had
permission to view that DAG. 

The issue has been fixed in Airflow 3.1.4, and users are strongly
advised to upgrade to prevent potential disclosure of sensitive
information.

Credit:

Frieder Gottman (Cariad) (finder)
Jens Scheffler (Bosch) (reporter)
Jens Scheffler (Bosch) (remediation developer)

References:

https://github.com/apache/airflow/pull/58252
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-65995



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================