Apache Airflow OpenSearch Logging Credential Leak Vulnerability

A vulnerability exists in the OpenSearch logging provider of Apache Airflow, specifically in versions prior to 1.9.1. When the host URL is configured to include credentials, such as in the format 'https://user:password@server.example.com:9200', the full URL with the embedded credentials is logged in task logs. This allows any user with permission to read task logs to access the backend credentials. To address this issue, users should upgrade to 'apache-airflow-providers-opensearch' version 1.9.1 or later. Additionally, as a defense-in-depth measure, it is recommended to configure backend credentials using a secret backend instead of embedding them in the OpenSearch host URL.

Impact

Exposed backend credentials to users with task-log read permission.

Remediation

Upgrade to 'apache-airflow-providers-opensearch' version 1.9.1 or later. As a defense-in-depth measure, configure backend credentials via a secret backend instead of embedding them in the OpenSearch host URL.