CVE-2021-26559 – apache-airflow

Package

Manager: pip
Name: apache-airflow
Vulnerable Version: =2.0.0 || >=2.0.0 <2.0.1rc1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00297 pctl0.52591

Details

Improper Access Control in Apache Airflow Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when `[webserver] expose_config` is set to `False` in `airflow.cfg`. This allowed a privilege escalation attack. This issue affects Apache Airflow 2.0.0.

Metadata

Created: 2021-04-07T21:05:57Z
Modified: 2024-11-18T16:26:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-ffw3-6mp6-jmvj/GHSA-ffw3-6mp6-jmvj.json
CWE IDs: ["CWE-269", "CWE-284"]
Alternative ID: GHSA-ffw3-6mp6-jmvj
Finding: F039
Auto approve: 1