Apache Airflow Providers Elasticsearch Logging Credential Leak Vulnerability

A vulnerability exists in the Elasticsearch logging provider of Apache Airflow Providers Elasticsearch, in versions prior to 6.5.3. When the logging provider is configured with a host URL that includes credentials, such as 'https://user:password@server.example.com:9200', the full URL with the embedded credentials is logged in task logs. This allows any user with permission to read task logs to access the backend credentials. The issue arises from the logging provider's handling of URLs with embedded credentials, which are not properly sanitized before being written to the log.

Impact

Exposed backend credentials for Elasticsearch, which could be harvested by users with task-log read permission.

Remediation

Users are advised to upgrade to Apache Airflow Providers Elasticsearch version 6.5.3 or later. As an additional security measure, configure backend credentials using a secret backend instead of embedding them in the Elasticsearch host URL.