Apache Airflow Amazon Provider Team-Scoped Secret Access Vulnerability

A vulnerability exists in the AWS Secrets Manager and SSM Parameter Store backends of the Apache Airflow Amazon provider, affecting versions prior to 9.28.0. The issue arises from the team-scoping logic, which could incorrectly resolve a connection ID containing a slash to the same path as another team's secret when the caller lacked team context. This flaw allowed a privileged caller without team context to access another team's secret by crafting a conflicting connection ID. The vulnerability impacts only the experimental multi-tenant teams feature.

Impact

Exploitation of this vulnerability allowed unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store, potentially leading to the disclosure of sensitive information.

Remediation

Users are advised to upgrade to Apache Airflow Amazon provider version 9.28.0 or later, which addresses this vulnerability by changing the team-scope separator to double hyphens and rejecting team-shaped connection IDs when team context is not present.