CVE-2024-50378: 
Apache Airflow vulnerability analysis and mitigation

CVE-2024-50378 affects Apache Airflow versions before 2.10.3, where sensitive variables set through the Airflow CLI were exposed in audit logs and stored unencrypted in the Airflow database. The vulnerability was discovered by Saurabh Banawar and remediated by Shubham Raj (OSS Security).

The vulnerability allows authenticated users with audit log access to view sensitive values in audit logs that should have been masked. When administrators set sensitive variables using the Airflow CLI, these values were not properly masked and appeared in plain text in both the audit log and the Airflow database (NVD). The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability exposes sensitive information to users who have audit log access. While the scope is limited to authenticated users with specific permissions, it could lead to the exposure of confidential configuration values and secrets (OSS Security).

Users are recommended to upgrade to Apache Airflow version 2.10.3 or later, which addresses this issue. Additionally, administrators who previously used the CLI to set secret variables should manually delete entries containing those variables from the log table (OSS Security).