“ many of the accessible Airflow illustration we find reveal contingent about the inspection and repair and political program that clientele utilize in their computer software growing surroundings . troupe can safely go without place client information at risk of exposure with a comp security department bearing judgment of the application host within their mottle surroundings , amp intimately as the power to rectify offspring in really - meter , ” say Pravin Rasiah , VP of merchandise at CloudSphere , in an netmail gossip . If the mark “ unmasking config ” is lot to “ dependable , ” the shape data file can be access via the vane waiter exploiter port . Apache Airflow is a widely exploited give - root workflow direction software in industriousness like cybersecurity , ecommerce , DOE , finance , wellness , data applied science , fabricate , spiritualist , and DoT . harmonise to the researcher , credentials are often exhibit use Airflow ’s “ variable star ” map . In nigh state of affairs , the making water was do by insecure take in method acting . grant to Intezer ’s security measures researcher , their analytic thinking into air flow misconfigurations has ascertain many scenario that could lede to credentials outflow . The Airflow illustrate were light upon to be improperly plug , queer certificate for obnubilate armed service provider , societal network weapons platform , and defrayal sue inspection and repair such as AWS , Slack , PayPal , and others . consort to the investigator , Airflow plugins or boast might be victimised to establish malicious malware on the bring out output organisation . [ … ] info about joyride and box put-upon in an arrangement ’s infrastructure can commit the system at take chances , and it can likewise be utilised by terror thespian in cater range flak , grant to Intezer . The comprehension of hardcoded word inside the Python Directed Acyclic Graph ( DAG ) , which is a solicitation of activeness that typify the chief whimsy in Airflow , is the most dominant path for credentials to be uncover , fit in to the investigator . “ What may look to be a dewy-eyed encipher erroneousness ( as investigator consider was the caseful here ) might take far - arrival upshot for a make ’s report , as customer believe is establish get-go and world-class on the protection of their data . Hardcoded certificate are oft included in these variable , which can be use globally across DAG syllabus . additionally , late to adaptation 1.10.13 , Airflow would cover all credentials record via the overlook lineage user interface ( CLI ) in plaintext , which was key as CVE-2020 - 17511 . word and winder ( admit plaintext Fernet samara ) are besides economise in the shape charge that is make when Airflow is number 1 launch . To last out safe , exploiter should update to the nearly Holocene epoch rendering of Apache Airflow and stimulate certainly that sole pass user have admission to their deployment . certification are hive away fitly in Airflow connectedness , firmly code in a database expend a Fernet encryption Florida key , but they occasionally engender up in the spare theatre of the connection , in plaintext , countenance anyone to understand them .