CVE-2023-51702: 
Python vulnerability analysis and mitigation

Since version 5.2.0 of Apache Airflow CNCF Kubernetes provider, a security vulnerability was discovered where the Kubernetes configuration file used for authentication in deferrable mode was being stored unencrypted. The vulnerability (CVE-2023-51702) affects Apache Airflow CNCF Kubernetes provider versions 5.2.0 to 7.0.0 and Apache Airflow versions 2.3.0 to 2.6.1. The issue was disclosed on January 24, 2024 (NVD).

When using deferrable mode with a Kubernetes configuration file path for authentication, the Airflow worker serializes the configuration file as a dictionary and stores it in metadata without encryption. Additionally, in Airflow versions between 2.3.0 and 2.6.0, the configuration dictionary is logged as plain text in the triggerer service without masking. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

This vulnerability allows anyone with access to the metadata or triggerer log to obtain the configuration file and potentially use it to access the Kubernetes cluster. The exposure of these credentials could lead to unauthorized access to the Kubernetes infrastructure (OSS Security).

Users are recommended to upgrade to Apache Airflow CNCF Kubernetes provider version 7.0.0 or later, which fixes this issue by changing the behavior to stop serializing the file contents and instead providing the file path to read the contents into the trigger. The fix was implemented through multiple pull requests that modified how sensitive information is handled (GitHub PR, GitHub PR).