Apache Airflow Exposed configuration
Description
Apache Airflow is an open-source workflow management platform for data engineering pipelines. This vulnerability occurs when the Airflow configuration file (airflow.cfg) is publicly accessible without authentication due to the 'expose_config' setting being enabled.
The configuration file may contain sensitive information including database connection strings, secret keys, authentication credentials, and internal system architecture details. Airflow is designed to operate within trusted environments and should not be exposed to untrusted networks or the public internet.
Remediation
Disable public access to the Airflow configuration file by modifying the airflow.cfg settings file:
1. Locate the [webserver] section in your airflow.cfg file
2. Set the 'expose_config' parameter to 'False':
[webserver] expose_config = False
3. Restart the Airflow webserver for changes to take effect
4. Additionally, ensure Airflow is deployed behind proper authentication mechanisms and is not directly accessible from untrusted networks
5. Implement network-level access controls (firewall rules, VPN, or IP whitelisting) to restrict access to authorized users only
6. Review and rotate any credentials that may have been exposed in the configuration file