Security Update from Airbyte
Note: this only affects users of the Connector Builder UI
Airbyte was alerted to a security vulnerability, identified as a Remote Code Execution (RCE) issue, that allows another logged in user to get access to the underlying Docker image of the connector builder after they have logged in.
Sensitive information, such as credentials, could have been exposed if a user tested a new connector on a compromised instance of the connector builder. This component is used to create and test new connectors. It does not have access to any data processes. It is also important to note that an attacker must have an account on the Airbyte system and be logged in to exploit this vulnerability.
Based on what we know now, there is no evidence that any secrets were shared via our platform or compromised.
Upon discovering the vulnerability, Airbyte immediately acted to close the security vulnerability and released an update to our platforms. The patch has been released to OSS (v0.62.2), our Cloud environment has been patched, and we have ongoing security efforts to ensure your instance stays secure.
Though this exploit is only possible if a user was logged into your instance, to ensure the security and integrity of your system, we strongly recommend that everyone upgrade to the latest version of Airbyte as soon as possible. The updated version contains a fix for this vulnerability, and upgrading will protect your systems from potential exploits. We also recommend rotating any test credentials used in the connector builder.
Action Required:
- Upgrade to the latest version: Please follow our instructions to upgrade to the latest version