CVE-2022-27949: 
Apache Airflow vulnerability analysis and mitigation

A vulnerability in the UI of Apache Airflow (CVE-2022-27949) allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed, particularly when they were depending on past instances where the task failed. This vulnerability affects Apache Airflow versions prior to 2.3.1. The issue was discovered and disclosed in November 2022 (CVE Mitre, NVD).

The vulnerability occurs when task instances are not executed, and the system attempts to render template values. In normal execution, the system creates RenderedTaskInstanceFields where masked values are stored through a redaction process. However, when tasks are not executed, RenderedTaskInstanceFields is not created, leading to unmasked secrets being displayed in the UI. The issue was classified with a low severity rating (OSS Security).

The vulnerability exposes sensitive information by allowing attackers to view unmasked secrets in the Apache Airflow UI for tasks that have not been executed. This could potentially lead to the disclosure of confidential information such as API keys, passwords, or other sensitive configuration data (GitHub PR).

The vulnerability was fixed in Apache Airflow version 2.3.1. Users are recommended to upgrade to this version or later to address the security issue. The fix involves proper handling of secret masking for non-executed tasks (GitHub PR).