CVE-2025-68438

{"id": "CVE-2025-68438", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-68438", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T16:09:05.105917Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security@apache.org", "affectedData": [{"vendor": "Apache Software Foundation", "product": "Apache Airflow", "versions": [{"status": "affected", "version": "3.1.0", "lessThan": "3.1.6", "versionType": "semver"}], "packageName": "apache-airflow", "collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected"}]}], "published": "2026-01-16T11:16:03.760", "references": [{"url": "https://lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/15/5", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core]\u00a0max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display.\n\nUsers are recommended to upgrade to 3.1.6 or later, which fixes this issue"}, {"lang": "es", "value": "En versiones de Apache Airflow anteriores a la 3.1.6, cuando los campos de plantilla renderizados en un DAG exceden [core] max_templated_field_length, valores sensibles podr\u00edan quedar expuestos en texto claro en la interfaz de usuario de Plantillas Renderizadas. Esto ocurri\u00f3 porque la serializaci\u00f3n de esos campos utilizaba una instancia de enmascarador de secretos que no inclu\u00eda patrones mask_secret() registrados por el usuario, por lo que los secretos no se enmascaraban de forma fiable antes de la truncaci\u00f3n y visualizaci\u00f3n.\n\nSe recomienda a los usuarios actualizar a la 3.1.6 o posterior, lo que corrige este problema."}], "lastModified": "2026-06-17T09:59:05.313", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3200C37B-AA6B-4DDC-9CFB-93D59243BF2A", "versionEndExcluding": "3.1.6", "versionStartIncluding": "3.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}